Planned maintenance: Please note EAPF Online will be unavailable between 09:00 on 30 October until 17:00 on 31 October 2019 for essential maintenance. We apologise for any inconvenience caused.

Capita recently reported a cyber incident involving hackers targeting some of its computer servers – potentially impacting several of the cross-sector businesses it serves.

We use Capita to provide our Environment Agency Pension Fund (EAPF) administration services, supported by their technology platform (Hartlink).

We’ve been working closely with Capita as they conduct forensic investigations into whether Environment Agency Pension Fund (EAPF) member data had been impacted by this incident.

It has been confirmed that EAPF member data held on Hartlink has not been compromised. 

However, regrettably, we were informed late on Friday 19 May that Capita’s investigations have identified that some personal data held on Capita computer servers has been accessed by the hackers. 

At this point, we know that the data held on these servers is mainly in relation to our pensioner members (those in receipt of a pension). However, we are aware that a small amount of other member data (around 2% of all members) has also been affected. We’re continuing to work closely with Capita to understand the full impact.

For the majority of our contributing and deferred members, at this point in time there is no evidence that there was any data held on the servers impacted.

We’re currently awaiting specific data from Capita, that we need to then check and process.  This will allow us to contact the affected members and provide more information when we write out to them.

The pensioner information potentially accessed includes:

  • Their title, initial(s), and name; their National Insurance number; their EAPF member number; their retirement date; their tax code; their pension amount and (in some, but not all cases) their date of birth and address.

For around 2% of other members potentially affected, the data potentially accessed includes:

  • Their title, initial(s), and name; their National Insurance number ONLY.

Whilst Capita cannot currently confirm if this data was definitively “exfiltrated” (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was.

We are contacting all affected EAPF pensioner members as soon as possible. This will be by letter where they’ll be given access to a leading identity protection service, free of charge. We’ll provide the details setting out how that will work when we contact these members. We’ve also created an area on the website for the affected members where we’ll provide helpful information, links and some Q&As all in one place which we hope will address any immediate concerns.

We’ll continue to actively engage with Capita during their ongoing investigations and will consider the next steps available to us and communicate these where necessary. We’ll also continue to engage with them about the ongoing support they’ll be providing to those affected.

Please note we are still undertaking the investigation, this is the position as we understand it so far.

We’ve reported this incident to the ICO and also informed the Pensions Regulator. Capita are in regular contact with all regulators.

We realise that this will be of concern to you. At this point, we are able to share further information about steps Capita have been taking in response to the incident which we hope will be of some reassurance:

  • Capita have appointed a third-party specialist adviser that continues to monitor the dark web to confirm that data compromised as a result of this incident is not circulating more widely. 
  • That in third party reports, they can find no evidence that data resulting from this incident is further circulating on the dark web or otherwise. 
  • Capita have taken extensive steps to recover and secure the data contained within the servers impacted by the exfiltration.

In the meantime, we want to reassure members that we’re confident that their pensions remain secure. We’ve reviewed our own systems and controls to ensure they remain robust. The EAPF member portal has not been compromised as this is held in a separate environment to the server that was accessed. Therefore, your passwords to login to your pension account remains safe.

If you’re an EAPF member and you’re wondering if your personal data has been compromised, you will be contacted in writing to confirm if this is the case.  Please do not contact Capita to ask if you’re affected. If you do need to contact Capita, please do be patient with the team. The incident has had an impact on their ‘business as usual’ processing, and they’re recovering from lost time as a result of the cyber incident.

We do understand that the incident will be a concern, but we want to reassure you that we take the responsibility of protecting our member data extremely seriously.

We will, of course, continue to be vigilant and will keep our website updated as the situation evolves.

We've provided a questions and answers document which we hope you'll find useful. 

Download our questions and answers document.


Last updated: 26/05/2023  08:55


Send message