Some of you were contacted by your pension schemes back in the Spring last year about a significant cyber attack on Capita. The advice at the time was that our data had not been impacted…
I’ve recently received a letter from my pension scheme trustees to say that following external forensic investigation, it turns out that some of my personal data was “exfiltrated” including my NI number and other ID numbers (not sure what those might be). It may be that those of you who received letters a year ago may also get updates.
We have been provided, at Capita’s expense, with a 24/7 monitoring service of the dark web to check on any suspicious activity involving our data on the dark web etc. They look at mis-usage of your phone numbers, debit and credit cards, passport, driving licence, bank accounts - but not NI number (!).
I cannot understand why my company (Unilever) continues to use them. All sorts of reassurances at the time, without any substance. Obviously no one in Unilever reads Private Eye - they’ve been talking about Crapita for years!
What compensation has been offered by Crapita that will reach the victims, who will now have a years-long tail of their most personal and vulnerable-making data being exploited by dark powers all over the world… that isn’t being kept by the sticky fingers of their client companies and is actually paid to the victims.
This is a lot worse data leak than airline breaches that leaked less, but still got serious fines and had to compensate.
As former employees, we obviously neither have, nor had a contract with Capita. Our former employers were responsible for selecting, contracting with and monitoring the performance of Capita. In the hopefully highly unlikely event of loss arising, I imagine we would look initially to our former employer/trustees for recourse, who in turn would look to Capita for redress. That said, the letter states there is (fortunately) no evidence to date of any financial loss arising to any fund member. I’d imagine that compensation would only be due if there was a direct link back from the financial loss to Capita’s own negligence.
The letter from the trustees of my former employer has clearly been heavily ‘lawyered’. There is no apology etc, merely the legalistic "“we appreciate and regret that you will probably be concerned by this information”(!).
I do wish employers would have less regard to lawyers views, in these sorts of situations and accept that sincere expressions of apology, whilst counter to legal advice, are probably much more effective than legalistic non apologies.
In fairness to Capita (not a phrase I would often use) I suspect there are not going to be huge differences between scheme administrators, or indeed other large organisations when it comes to data protection. They’re all vulnerable to some extent to really determined hackers.
Loss doesn’t have to be financial or even proven so far as I can tell.
BA had to compensate everyone for a lesser leak. They did wiggle to put it in a form that suited then and of course the huge billions and billions of headline fine by regulator got watered down in the end but that only went as far as passport details and/or credit card numbers. There’ve been a few like this in travel in recent years. ISTR a $170 billion fine for one of the BA leaks eventually ended u as $20 billion fine paid when a crafted compensation to the individuals whose data was in the leak was made part of what BA had to pay in the end.
Capita leakage with NI data etc, has got to be worse than that. Also would have thought their negligence would be viewed as more egregious, given that handling HR type data is the core of their business not just ancillary as BA with passport and card details.
Your answer was as expected it’s a chain of respnsibility. Spotting the written by a lawyer liability concealment effort I’d write back equally charmingly and enquire - as I’m sure loss doesn’t have to be proven and it sounds hard for Crapita to avoid a monster fine=guilt. And surely as it’s Crapita wouldn’t their reputation make you think they’ll do it again?
