In 2023, we informed you that Capita (our pensions administrator) had experienced a cyber-attack.
The current position remains that there is no evidence that information resulting from this incident has been misused, or that it is available illegally including on any third-party websites. An independent third-party expert continues to monitor the dark web daily for trace of any exfiltrated data. There is no planned end date for this monitoring.
Since the incident, we’ve continued to work with Capita and our professional advisors, who have undertaken a review of Capita’s data security measures. The outcome of this review confirms the robustness of the security in place, which has been assessed as ‘advanced’ in all aspects of their report. Their overview states:
“Capita have a robust and effective security governance program, supported by an Information Security Management System (ISMS) and ISO 27001 certification. Furthermore, Capita utilise an extensive list of front-line security controls to accompany a well-established incident management and business continuity process for the organisation.”
We are continuing to work with Capita throughout their 5 year cyber transformation to continue gaining assurances on the security and integrity of Capita's systems. We’ll also be utilising external advisers to support the assurances we gain from Capita and ensure best practise.
We still have not been given an indication of when to expect the determination from the Information Commissioners Office (ICO) in respect of their investigation into Capita. We know that Capita continue to engage with the ICO to support the investigation. We do know that ICO determinations for other organisations who have experienced a cyber-attack have taken several years. As the Capita cyber incident involved multiple pension funds, we expect this to take longer due to the complexity of it. We are also not aware of an incident on a similar scale to compare it to for an indication of how much longer the determination may take.
We continue to update our Q&A on this website with updates as and when they are available.
We’ve updated the Q&A around the expiry of the 24 month complimentary Experian membership (see q.14 of Q&A for UK members). The Experian membership was offered by Capita to support in providing assurance for members for an initial 12 month period. We agreed with Capita that this should be extended to 24 months to provide additional assurance.
We are not planning on extending the Experian membership beyond the current 24 month period that members may have currently taken out. With the independent assurance that no exfiltrated data has been available or misused, it will be an individual choice if a member wishes to extend their Experian membership further at their own cost.
We keep the most up to date information in our Cyber Q&A on our Cyber hub at www.eapf.org.uk/cyber.