Halcrow Pensioners Association

The Capita Data Leak

The Capita Data Leak
The HPA committee were alerted in May 2023 of the leak (in March 2023) of pension scheme data by an article in the press and then alerted the Jacobs Pensions Team. Shortly afterwards the Trustee published a notice on the HPS2 website which included the statement "Capita has informed us that Hartlink, their administration system used to pay your pension, was not affected and is held on a environment from the one compromised." However, on 25th May the Trustee mailed a notice to all HPS2 members alerting them to the incident as Capita had confirmed that data for some HPS2 members had been affected. That letter included some general advice about avoiding pensions scams and identity fraud. The HPS2 website states "Capita does not provide any services and does not hold any personal data for members of the Scheme who are not yet receiving their pension. The cyber-attack will not affect the personal data of these members."

On 18th July 2023 Capita, on behalf of the Trustee, sent a 3 page letter to HPS2 pensioner members advising what personal data may have been involved in the incident, dispensing more advice and offering a free one year membership of Experian's credit and web monitoring service. Needless to say, HPA is not happy about the onus being put on the pensioners to minimise the risk of incurring loss or fraud through no fault of their own. Many other organisations have been affected and it has been reported that a Class Action lawsuit is being prepared. Questions need to be asked and answered about why Capita needed to hold so much personal data. Surprisingly, Capita is not specifically mentioned in either a notice dated 15th May 2018 issued by the Trustee regarding GDPR and who may hold personal data of HPS2 members or a subsequent notice dated September 2021 despite Capita needing to have access to more personal data than others who were mentioned. It is most likely that Capita were originally awarded the contract to administer pension payments by offering the most competitive price. Did the Trustee, as "data controller" omit to periodically check that Capita was taking maximum care to keep scheme members' data secure in an increasingly challenging environment?

It is not HPA's responsibility to provide safety advice to members but, as individuals, we can share thoughts in the HPA forum. Note that there are two ongoing discussions: One in the public section of the forum and one in the members-only section. There is also a link to this FCA advice although that does not cover the situation where a hacker has bank account details and telephone numbers. Here is a description of one possible banking hazard. Those affected may wish to write to the Trustee seeking explanation as to why this problem was allowed to develop and asking who will compensate them for any losses and distress caused by this loss of data.

Copyright © 2008 Your Company  |  All Rights Reserved

Design by 1234.info | Modified by John Ratsey | Powered by Website Baker | Media Player by Jeroen Wijering | XHTML 1.0 | CSS 2.0