M&S and Diageo pension schemes exposed in Capita hack

M&S and Diageo pension schemes exposed in Capita hack

M&S and Diageo pension schemes exposed in Capita hackM&S and Diageo pension schemes exposed in Capita hack

If you have a pension scheme with Marks and Spencer or Diageo your personal details may have fallen into the hands of hackers.

The problem is that supermarket giant M&S and drinks firm Diageo used Capita to administer its pensions, just like hundreds of other private-sector retirement schemes.

According to Capita, hackers initially broke into its systems around 22 March 2023 and were not spotted until the end of the month. In the meantime, the company says, attackers stole data from “the small proportion of affected server estate which might include customer, supplier or colleague data.”

Bad news for Capita.

Bad news for companies like M&S and Diageo who trusted Capita to look after their data.

And bad news, of course, for the more than 100,000 pension holders whose details may have been stolen by the hackers.

Sign up to our free newsletter.
Security news, advice, and tips.

And if you thought this was bad, it’s just the tip of the iceberg…

After Capita made news of its security breach public, the UK’s pension watchdog urged hundreds of pension funds to investigate if their client data might have been compromised by the attack.

Not long afterwards, USS (Universities Superannuation Scheme) – the UK’s biggest private sector pension plan – warned that around 470,000 of its members may have had their details accessed during the Capita hack.

According to USS, details that may have been accessed included names, dates of birth, national insurance numbers, and USS member numbers.

USS said that Capita was unable to confirm currently that the data had definitely accessed by the hackers, but that it would be sensible to assume that it was.

Capita, which is used widely by the UK government, NHS, and many British organisations, has found itself in the very uncomfortable position of having to field a barrage of complaints from its clients.

Earlier this month, for instance, Colchester City Council publicly expressed its “extreme disappointment” with Capita as it sought to fully understand how Capita’s data breach had occurred, as well as any further action required.

Colchester City Council says that it is “considering what further action may be appropriate regarding Capita.”

Other councils who have reportedly had their data exposed by the Capita hack include Adur and Worthing, Coventry City Council, Derby City Council, Rochford District Council, and South Staffordshire.

Capita has declined to say whether it is prepared to pay a ransom to the hackers in the hope that it might prevent the data from being released more widely.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *