By Chris Vallance
Technology reporter
Around 90 organisations have reported breaches of personal data held by Capita, the outsourcing giant, according to a privacy watchdog.
The company suffered a cyber attack in March this year and it then emerged that Capita had left a pool of data unsecured online.
Hundreds of thousands of people are now being warned that they could have been affected by the hack
Capita says it has taken steps to secure the data.
The Information Commissioners Office (ICO), the privacy and data watchdog, said that so far around 90 organisations had been in contact regarding Capita.
“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries”, said the ICO.
Capita is used by a large number of public and private organisations and they handle the personal information of millions of people.
Many company pension schemes administer payments through Capita and its clients also include councils.
Capita is facing two issues. The first was the cyber attack earlier this year, followed in May when news broke that Capita had left a repository of files unsecured online.
The company said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the cyber incident and we have taken extensive steps to recover and secure the data.”
Security researcher Kevin Beaumont told the BBC the first incident, which he is “very confident” was a ransomware attack, was significant because of the breadth of data potentially at risk which could expose victims to fraud.
Mr Beaumont alerted Capita to the second issue, which left files unsecured online, in April but it only emerged publicly the following month.
A number of councils have said they believe personal data was put at risk, although Capita initially told journalists it did not believe that this was the case.
The ICO is encouraging organisations to see if personal data they hold has been affected by the attack or by the exposed data.
Personal data is defined as information that relates to an particular individual or could be used to identify someone – such as a name or an address.
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedom.
Pensions
The cyber attack in March hit a number of pension funds which use a Capita system called Hartlink.
Earlier this month, The Pensions Regulator (TPP) wrote to over 300 pension funds asking them to check if their data had been put at risk by the attack.
The Universities Superannuation Scheme (USS) pension fund, the UK’s main pension fund for universities, is in the process of writing to all its 500,000 members to inform them their data was at risk.
The letter, seen by the BBC, warns recipients “some of your personal information was held on Capita computer servers accessed by hackers earlier this year”.
Personal data was “accessed and/or copied” by the hackers the letter says including “your title, initial(s), and name, your date of birth, your National Insurance number, your USS member number and your retirement date”.
It said recipients have been given 12 months use of a service operated by Experian, a credit score company, that helps “detect possible misuse of your personal data”.
Dr Eleanor Drage, a senior researcher at Cambridge University, was one of those who received a warning letter.
She said: “I’ve got the whole of my career ahead of me and my personal and pension data is now forever out in the wild.”
She worried that the data could be connected to other information about her and said the offer of the Experian service was “not a resolution, it’s an insult”.
She added that a number of her fellow academics had been discussing possibly taking legal action as a result of what happened.
Capita told the BBC: “We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business.
“In instances where we need to provide further support to those affected, we will do so.”
It said the data exposed online in the second incident “was secure and no longer accessible and our investigations into this matter are ongoing.”