For weeks after the attack first came to light in April, Capita insisted that there was no evidence any data had been accessed by hackers, even as stolen passport scans and other financial information was shared on a dark web site run by the Russian Black Basta criminal gang.
The software targeted by the cyber criminals is called Hartlink, which pension schemes can install on their websites to create a secure link for pensioners to view and manage their investments.
A spokesman for the Pensions Regulator described the fallout from the March cyber attack as “an ongoing situation with more detail emerging daily”.
“We are calling on all trustees to work with Capita to understand how their scheme may have been impacted, to fulfil their responsibilities as data controllers and to warn members of the threat of scams and how to protect themselves,” said the regulator.
“We are following up robustly with all pension schemes administered by Capita to ensure they do so.”
The list of companies thought to use Hartlink is extensive and includes large companies such as Axa, EE, BAE Systems and Marks & Spencer.
An Axa UK spokesman confirmed the insurer was aware of the hack, saying it was related to “the AXA UK Group Pension Scheme, a closed scheme that ceased accrual in 2013”.
It is understood that EE, another user of the Hartlink software, has not been contacted by Capita.
A Capita spokesman said the company “continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data. In line with our previous announcement, we are now informing those we have identified to be affected”.
The spokesman refused to say whether or not the London-listed business had paid a ransom to recover control of stolen data.
Black Basta, the Russian-speaking ransomware gang who targeted Capita, broke into the company’s servers in March and published information on the dark web including passport scans and job acceptance letters sent to teachers in Sheffield.
Jon Lewis, Capita’s chief executive, claimed in April that his company’s response to the attack would “go down as a case history for how to deal with a sophisticated cyber attack”.
Stolen data published on the dark web was deleted last week, raising concerns the company may have paid a ransom to the hackers.
Capita told investors earlier this month that it was setting aside between £15m and £20m to cover costs arising from the cyber attack.
The IT outsourcer holds billions of pounds in government and private sector contracts, including a £456m deal to collect the BBC TV licence fee, providing training to the Royal Navy, and offering back office IT services to NHS GP surgeries across the UK.
Capita said the Hartlink software itself is not compromised.
