Planned maintenance: Please note EAPF Online will be unavailable between 09:00 on 30 October until 17:00 on 31 October 2019 for essential maintenance. We apologise for any inconvenience caused.

We're providing an update on the Capita cyber incident. Previous updates and information can be found in our news section.

The Pensions Committee and Executive Directors Team (EDT) continue to treat the Capita cyber incident very seriously. We've been working with Capita regularly since the incident occurred to understand what happened and to ensure that Capita has the correct technical and organisational measures in place to protect all data held.

Importantly, both Capita's third-party specialist adviser and the Defra Digital, Data & Technology Services (DDTS) team continue to monitor the dark web, with no evidence of any Environment Agency Pension Fund (EAPF) employee or member data being found. This monitoring has no planned end date. We understand that Capita has taken extensive steps to recover and secure the data contained within the impacted server estate, and to remediate any issues arising from the incident.

We communicated directly by letter to all affected members last year setting out the precise categories of impacted personal data. These letters have also been added to EAPF online accounts of impacted members and can be viewed there. The letters also provide a 24-month membership to a leading protection service, Experian, free of charge. We know that many of those affected have successfully taken up this service.

We're limited in what we can say about Capita's cyber incident and Capita’s IT infrastructure and internal processes. We signed a non-disclosure agreement (NDA) with Capita soon after the incident to ensure we could access certain confidential information quickly to assess the impact, and this unfortunately precludes us from disclosing the confidential information received from Capita.

We've provided an update on some key areas below:

  • Capita appointed a third-party specialist adviser who continues to monitor the dark web to confirm that data exfiltrated as a result of this incident is not being circulated or available for sale online. Capita’s specialist advisers have been appointed since the earliest days of this cyber incident.  Capita do not have any evidence that any of the exfiltrated data is circulating on the dark web, or that it is available for sale online or otherwise. More detail on the dark web and what this means in practice is included in our refreshed Q&A.
  • The Information Commissioners Office (ICO), the Financial Conduct Authority (FCA) and The Pensions Regulator (TPR) have been working with Capita throughout the incident. We also self-reported the data incident to the ICO and TPR on behalf of the Pension Fund.
  • In terms of the Pension Fund, on 3 February 2024, the ICO confirmed that it had considered the information that we had provided to it and decided not to take any action against the Pension Fund. So far as the Pension Fund is concerned, the ICO now consider the matter to be closed. We believe this to indicate that the ICO is satisfied with the information provided to it, and that the ICO has no concerns with respect to the Pension Fund's compliance with its regulatory obligations.
  • We understand that the ICO's engagement with Capita is continuing. We've been told that Capita continue to work collaboratively with the ICO, and at this time, the ICO have not provided Capita with a timescale for completion of their enquiries. We do not know when any report or decision on this may be made but we'll update you when we have this information.
  • The Pensions Regulator (TPR) has published its report into the incident on 2 February 2024. This provides some background to the incident and the steps TPR undertook with Capita and Pensions Schemes. It also sets out TPR expectations of Pensions Schemes and Trustees on cyber security. Updated cyber guidance was published by TPR in December 2023. Read the TPR report published on 2 February 2024.
  • The Pension Fund takes the protection of members data very seriously. We've undertaken cyber security assessments, audits and training across the Pension Fund and key external providers (including Capita) both prior to and since this incident. We use advice from internal and external experts to ensure we meet all regulatory requirements and guidance (such as the TPR guidance).
  • Since the incident, Capita has taken further steps to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments. Capita has undertaken several initiatives to ensure that their internal IT infrastructure, processes and procedures remain compliant with all legislative and regulatory requirements for data security. Recognising the limits of how much can be publicly shared on this, Capita have stated that these initiatives include: A technical report covering the tactical recovery of certain aspects of the IT infrastructure, and causes of the incident, using an external technical expert. Capita's position is that the report provided the necessary assurances at this point on the areas reviewed. Following the cyber incident, Capita wrote to any impacted members with details of what data items had been exfiltrated along with recommended steps to help protect you from the risks posed by cyber-attacks such as the one experienced by Capita. To provide an additional level of assurance, Capita has engaged a reputable independent third-party organisation to audit the results of the analysis they conducted. This will make sure that no member or data item has been missed from Capita’s analysis. It was anticipated that this audit would be completed during autumn 2023, but the complexity of it has delayed completion. Capita anticipate providing us with an update for the Pension Fund within the coming months. Nothing of concern has been identified for the Pension Fund at this point. Should there be any difference to the results, we'll inform any impacted members as soon as possible.
  • Whilst the Experian service has raised some additional queries and concerns for members who have received alerts from Experian, Capita have not seen any link between these and the Capita incident itself. Capita considers it unlikely that the Capita incident is the source of any data identified by Experian as being for sale in relation to the notified member. The Experian service looks at data held for registered individuals over the previous 6 years up to the date of registering. We've updated our Q&A on Experian, which can be found in our Cyber hub by clicking on the ‘Experian guidance’ box.
  • The updated Q&A provides more information on the steps to take should you receive a notification from Experian about your own data. Where specific members have come back to us, we have supported through both Capita and Experian. 
  • The TPR report focuses on the communication challenge of dealing with an incident such as this. We issued over 50,000 letters as part of this incident, which covered employees, deferred members, pensioner members and those that had left the Fund in the past. It has been challenging to update this wide membership consistently with progress, particularly when we've been limited in terms of information that we can share. We hope to improve this going forward.

We've refreshed our Q&A and made it specific to the incident and post incident activity and included updated information on the most frequently asked questions. The information about the Experian service is now updated in a separate Q&A which can also be found on our cyber hub at

Our work on this incident will continue for some time yet. We'll continue to update our members through our website's News section as soon as there are further developments.

We apologise for any impact this incident is causing you but can assure members that we're taking all necessary action to ensure that your data and the Pension Fund are protected.

If you have any questions, please contact (Capita email) or (EA internal team).


Send message