Approximately 470,000 members of the Universities Superannuation Scheme, the U.K.’s largest private pension fund, may have had personal details accessed during a recent data breach at pension administrator Capita.
In early April, Capita announced it had “experienced a cyber incident” on March 31 that mainly affected access to internal applications. As a result of the breach, The Pensions Regulator, the U.K.’s watchdog for workplace pensions, sent letters to hundreds of pension plan trustees to inform them of risk to their plan’s data. The Information Commissioner’s Office—the U.K.’s independent body for upholding information rights—and The Financial Conduct Authority have also urged companies to find out if any data has been stolen.
The USS stated that although it could not be certain if information about its members had been accessed or copied by the hackers, Capita recommended that the pension fund work from the assumption that it was.
According to the USS statement, it uses Capita’s technology platform Hartlink to support its in-house pension administration processes, and it has been working closely with the company during its forensic investigations. The pension fund announced that “it has been confirmed that USS member data held on Hartlink has not been compromised,” but that USS member details were held on the Capita servers accessed by the hackers.
The information potentially accessed includes the names, dates of birth, National Insurance numbers, USS member numbers, titles, initials and retirement dates of some 470,000 active, deferred and retired members, according to USS. The pension fund is waiting to receive specific data from Capita, which it will then have to check and process, and plans to write to all members affected and, where applicable, their employers.
“We are very sorry that some USS member data held by Capita may have been accessed by a third party,” USS Group CEO Bill Galvin said in a statement. “We are very confident members’ pensions remain secure.”
The ICO said in a statement that affected organizations “should also consider their position and report data breaches where necessary.” Companies are required to notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. However, if a firm decides a breach does not need to be reported, the ICO said it should keep its own record and be able to explain why it did not report the breach.
Related Stories:
UK Regulators Warn Pensions to Check Data After Capita Breach
SEC Settles Charges with Firm Over Failing to Report Hacking Attempts
UK’s Biggest Pension Fund Facing Lawsuit, Potential Strikes Over Benefit Cuts
Tags: Capita, data breach, FCA, Financial Conduct Authority, ICO, Information Commissioner’s Office, pension administrator, The Pensions Regulator, TRP, Universities Superannuation Scheme, USS