Almost half a million members of the giant USS lecturers’ pension fund may have had their personal details stolen during the recent cyber-attack on the outsourcing firm Capita.
The company, which also runs services for the NHS and military, has previously said that the attack on its servers in March may have resulted in a “limited” amount of data being compromised.
But on Friday, the Universities Superannuation Scheme (USS), which invests almost £90bn on behalf of academics, said it could not be certain whether information about 470,000 active, deferred and retired members had been taken.
It said the details that may have been stolen by the hackers included these members’ titles, initials, names, dates of birth, National Insurance numbers and pension fund membership numbers. Capita manages USS’s pension system and support.
“While Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was,” USS said in a statement.
“We are awaiting receipt of the specific data from Capita, which we will in turn need to check and process.
“We will be writing to each of the members affected by this – and, where applicable, their employers – as soon as possible to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice.”
USS said it was “sorry” that its members had been affected, adding that it was “proactively engaging with Capita in respect of their ongoing investigations and are considering the next steps available to us”.
Bill Galvin, the USS group chief executive, said: “Having been told yesterday [11 May] that Capita could not guarantee the security of certain files, we’ve moved urgently to inform our members. We have given them guidance on the risks this might have created and how they might respond.
“We are very confident members’ pensions remain secure. We have reviewed our own systems and controls to ensure they remain robust. We continue to engage with Capita and will provide more information on the status of the potentially compromised data immediately it becomes available.”
USS has advised members to read a Q&A addressing the cyber-attack.
Earlier this week, Capita revealed it expects to take a hit of up to £20m as a result of the cyber-attack, which began six weeks ago when staff found they could not access their computers.
Capita admitted in mid-April that customers’ data might have been breached but said it only had evidence of a “limited” loss of information.
A Capita spokesperson said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data.
“In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so.”