The City regulator has contacted Capita’s corporate clients urging them to ascertain whether their customers’ data has been compromised after a cyber-attack on the outsourcer in March.
The Financial Conduct Authority said it had written to firms it regulates and which outsource work to Capita to ensure they are “fully engaged” in assessing the fallout from the data breach.
Capita is one of the government’s biggest suppliers, with £6.5bn of public sector contracts ranging from running London’s congestion charge system to recruiting soldiers for the army.
The FCA has contacted insurance companies which use Capita for administration, including FTSE 100 firms Aviva and Phoenix Group, as well as annuity providers Pension Insurance Corporation, Rothesay and Just Group, according to the FT, which first reported on the watchdog’s inquiries.
Capita is still handling the fallout from the cyber hack, which saw staff abruptly locked out of their systems in late March. The company originally said it was experiencing IT issues before later confirming it had been hacked.
The outsourcer, which also collects the BBC licence fee and runs crucial operations for the NHS, later admitted data may have been breached during the incident, with hackers having potentially had access to customer, staff and supplier details. However, it said only a small number of its computer servers were accessed during the hack with “some evidence of limited data exfiltration”.
The FCA said it had “written to FCA regulated firms that are clients of Capita to ensure they are fully engaged in understanding the extent of any data compromise”. It said companies had a responsibility to alert affected consumers if their data had been affected, and notify regulators including the Information Commissioner’s Office.
The FCA said: “We have continued to engage with Capita since their cyber incident was reported to understand the extent of any data compromise and impact on the firms they provide outsource services to including their underlying customers.”
Aviva told the FT there was “no evidence” that its customer data had been accessed.
Separately, the Pensions Regulator has asked hundreds of pension funds that use Capita as an administrator for their payment systems to study whether their clients’ data is at risk. The Sunday Times reported that the regulator has asked funds to “determine whether there is a risk to their scheme’s data”.
Capita shares have fallen by 16% since the hack occurred. A spokesperson said: “Capita has already confirmed that it continues to comply with all relevant regulatory obligations – establishing and maintaining an ongoing dialogue with relevant regulatory bodies is therefore not at all unusual.”