Capita staffers told attackers stole data from its own pension fund

Capita has informed some of its employees that its own pension fund was among the victims of a cybercrime attack on its system, resulting in the theft of their personal details, they say.

The technology outsourcing company – running contracts worth hundreds of millions in the UK – let workers know their addresses, pension details and national insurance numbers were among the data taken by a Russian cybercrime group during a system breach in March.

In a letter shared with UK newspaper The Times, Capita apparently told staff members a full three months after the breach that it had "identified evidence that the following personal data relating to you is within the data compromised and/or copied from Capita's systems."

The letter said the tech company had hired a consultant to check data had not been sold on the dark web.

The Financial Times also reported Capita as saying: "We are informing those we have identified to be affected by the incident, and Capita colleagues are being contacted where necessary as part of that process."

A Capita spokesperson told The Reg: "Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data.

"This is a complex investigation and the process is ongoing. In line with our previous announcement, we continue to inform those affected."

The breach first emerged in March, when Capita confirmed some of its systems fell over due to "an IT issue."

Staff at the London-based giant couldn't access their own work email, their Microsoft cloud accounts, and other systems.

Capita took its internal systems offline in late March and days later in early April confirmed its infrastructure had been attacked. Russian ransomware crew Black Basta claimed responsibility. The company has worked with the National Cyber Security Centre and other forensic experts to comb through the wreckage.

• Two top execs quit Infosys mere months after its president skipped
• Capita faces first legal Letter of Claim over mega breach
• Capita wins £50M fraud reporting contract with City of London cops
• More UK councils caught by Capita's open AWS bucket blunder

In May, early investigations indicated that 4 percent of its servers were accessed during the nine days the criminals were inside, but later the outsourcer revised this to 0.1 percent and admitted it had "evidence" customer data was stolen.

Capita administers 450 pension schemes with 4.3 million members. The outsourcing company has warned them of potential unauthorized access to their data held on servers involved in the breach.

A spokesperson for The Pensions Regulator told us back in May: "We continue to work very closely with scheme trustees, other regulators and Capita. We are calling on all trustees to work with Capita to understand how their scheme has been impacted, to fulfil their responsibilities as data controllers, and to warn members of the threat of scams and how to protect themselves. We are following up robustly with all pension schemes administered by Capita to ensure they do so."

Capita is already facing its first legal claim over the data breach. In June, Barings Law, based in England's northwest, said it had dispatched a Letter of Claim to Capita to outline its clients' case and their list of worries.

It is estimated it will cost the outsourcing biz around £20 million ($26 million) to clean up. ®