Last year, we let you know that Capita (our pensions administrator) had experienced a cyber-attack. We're providing an update on the incident and results of an external data review.
Update
Capita continues to have no evidence that information resulting from this incident has been misused, or that it is available illegally including on any third-party websites. A third-party expert continues to perform daily monitoring of the dark web for trace of any exfiltrated data with no end date planned for this monitoring. This provides some reassurance on the extensive steps undertaken by Capita post incident to recover and secure the data contained within the servers impacted by the exfiltration.
Capita continue to work with all appropriate regulatory authorities regarding the incident. Capita also confirm that they've taken all appropriate steps to ensure the robustness of their networks and systems, and that they're safe, clean and secure, as verified by expert third-party advisors. We continue to work with Capita to ensure that they comply with all regulatory and technical requirements.
Following the incident, Capita completed a manual data review which identified that most of our employees, deferred and pensioner members were impacted by the incident. We wrote to impacted individuals confirming the specific data items held on the exfiltrated Capita server. We provided those individuals with access to membership of Experian for fraud monitoring services. This membership was initially for 12 months but was extended to 24 months monitoring. We're working with Capita and Experian to ensure that individuals records correctly reflect this 24 month service.
In addition to their own review, Capita appointed third-party eDiscovery experts to forensically review the data exfiltrated and to audit whether all individuals had been correctly identified. This independent audit has been ongoing since August 2023 and has recently been completed. We're confident that the time taken to complete this audit and the expertise from the eDiscovery organisation was needed to provide the reassurance that all data has been appropriately reviewed.
Audit outcome
The eDiscovery audit has identified additional impacted individuals that had not previously been communicated to us. This is made up of around 500 current employees and around 175 former employees and pensioners. We understand from Capita the reason why these individuals were not previously identified was due to the pace of the initial review. We were aware that employees who had joined the Environment Agency in the last 5 years or so were not in the original data review.
The data identified for these new members is mainly in respect of National Insurance Number and a Capita unique identifier only. According to the Information Commissioners Office’s (ICO) definition, these data items alone present a low risk to individuals. As such, we aren’t required to inform them, however we have chosen to provide the same support as was offered to all the other members who were previously notified.
There are also 6 members who were previously written to where some additional data was also found in this audit that wasn’t included previously when we wrote to them.
When are we contacting these new members?
Capita will be writing the impacted employees and members during the week commencing 3 June.
Letters will be also added to members online pensions account to ensure the gap between national communications and finding out if you’re affected, is as minimal as possible.
Further information
We've refreshed our Q&A recently and made it specific to the incident and post incident activity and also included updated information on the most frequently asked questions. The information about the Experian service is now updated in a separate Experian Q&A which can also be found on our cyber hub at www.eapf.org.uk/cyber.
Our work on this incident will continue for some time yet. We'll continue to update our members through our website's News section as soon as there are further developments. You can also see other recent updates from 20 February in our news section too. See our February cyber update.
We apologise for any impact this incident is causing you but can assure members that we're taking all necessary action to ensure that your data and the Pension Fund are protected.
If you have any questions, please contact Capita at info@eapf.org.uk or the EA internal team at eapf@environment-agency.gov.uk