In early 2023, Capita suffered two significant data breaches which have affected a significant number of people—potentially over 100,000.
In this guide, we examine what happened and what data was impacted. We also offer some practical advice on what you can do if you’ve been impacted by the Capita data breach, such as contacting your bank and taking legal action in the form of claiming compensation.
First, let’s take a look at the Capita organisation and the service it provides.
Who Is Capita?
Most people may recognise Capita as an insurance company, however, that is just one function it serves. In the case of the data breaches that affected it, the company offers an outsourcing service for third party firms to help manage their pension schemes.
Capita has a significant number of clients, some of which have thousands of employees.
Let’s take a look at what happened with the data breaches.
About The Capita Data Breaches
Capita has been struck by two data breaches in 2023.
The first breach occurred in March 2023. This incident arose as a result of a cyber attack which targeted Capita’s systems. The successful attack led to criminals accessing the personal data of employees of around 90 organisations. Those that have confirmed they’ve been affected include:
- Royal Mail
- Axa
- The NHS
- Several local councils
- The military
- The USS (University Superannuation Scheme)
At the time, the hack led to a major outage at the outsourcer, but the damage wasn’t clear until some time later when individuals started making complaints about their data. It spurred the Pensions Regulator to write to over 300 pension funds to ask them to check on their data.
Things got worse for Capita in May 2023 when another data breach came to light. This one wasn’t a cyber attack but rather an issue relating to human error.
In this incident, it transpired that data files relating to people’s benefits were left on publicly accessible storage. It only came to light when a number of councils contacted Capita to say they thought data had been accessed without consent.
What Data Was Impacted?
When a data breach occurs, it can impact people in different ways depending on the types of personal information exposed. For example, if banking information is accessed, it could see money taken from individual accounts or efforts made to steal the person’s identity or take out credit in their name. Such incidents can obviously cause financial loss and damage.
If the exposed data relates to the likes of names, email addresses, phone numbers and dates of birth, it can cause damage of a different kind, namely psychological. Knowing that criminals know these details about you can cause distress, worry and anxiety.
Action Fraud understands that different organisations impacted by the Capita data breach have confirmed what data has been impacted precisely. The USS, for example, has confirmed that title, initials, names, dates of birth, National Insurance numbers, USS member numbers and retirement dates have all been exposed.
What Should You Do If Affected By The Breach?
If you’ve been impacted by the Capita data breach, you should receive some form of correspondence from the organisation that holds your data—this correspondence would not come from Capita directly; they’re classed as a data processor and conduct data handling tasks on behalf of the organisation you hold your pension with.
This letter or email is commonly referred to as a data breach notification letter.
Contained within this correspondence, you may discover confirmation of the impact on your personal information due to the cyber attack or the breach by Capita. The letter should provide details regarding the specific data suspected to have been compromised.
This particular letter or email holds considerable significance should you decide to delve further into potential courses of action, particularly with regard to a data breach claim. It serves as crucial evidence, validating the fact that your information has indeed been affected.
In the event that you opt to make a compensation claim concerning the Capita data breach, the communication received from your employer will prove invaluable in assisting a solicitor when determining their ability to assist you.
If you haven’t received such a letter and find yourself desiring confirmation from your employer, you retain the option to correspond with them, penning a letter requesting an investigation into the matter.
Additionally, it would be wise to maintain a vigilant watch over your bank accounts, credit rating, and online profiles in order to identify any signs of suspicious or fraudulent activity. Should an influx of unwanted messages, calls, or emails also besiege you, it could serve as an indication that your personal data has been exposed.
Under such circumstances, it is imperative to promptly contact your bank and undertake the necessary measures to update your passwords.
Recently, the PSNI suffered a data breach, which you can read all about here. This arose out of human error, so is a little different to the Capita cyber attack.