Working in partnership with you


The Capita Data Breach

Background

On Friday 31st March Capita announced what it would first describe as a “technical issue”.

This was followed up with a disclosure on the 3rd April confirming that it had experienced a “cyber incident primarily impacting access to internal applications”. The company said at the time that the “issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised”.

Awareness of the severity of the attack came on the 8th April when the “Black Basta” ransomware group added Capita to its leak website and provided proof in the form of files containing personal and financial information supposedly stolen from Capita systems.  On 20th April, Capita confirmed that some of its systems had been breached and data compromised.  Capita have since confirmed that pension scheme data was stolen during the attack.

How was Capita compromised? The Black Basta group typically operate using phishing emails, and it seems likely that this was the root cause of this attack. Technical specialists suspect that a phishing email was sent to a member of the team who opened it and the corresponding attachment. This is likely to have subsequently released ransomware inside the network.

So, what is the Pensions issue?

Although most scheme data is likely held with a third-party provider, the trustee remains the Data Controller and responsible for the overall security of the data. The Pensions Regulator stated in their April 2018 Cyber security principles for pension schemes guidance “You are accountable for the security of scheme information and assets, even where you delegate or outsource day-to-day functions of your scheme”.

Trustees must ensure that all its providers are applying “appropriate technical safeguards” to protect the information for which they are entrusted.  For many this is not straightforward, cyber security is a technical topic that requires extensive knowledge and experience to manage.

Regarding the Capita breach the regulator has said “This incident shows the importance of having a robust cyber security and business continuity plan in place. Make sure you have read the cyber security guidance and check that your own plans are up to date. We may engage with you further to understand the steps you have taken and what progress you have made.”

Both regulators (the ICO and TPR) are taking a close look at what has happened to Capita and at how pension schemes as the Data Controllers managed this incident.

What can Trustees do?

There are several steps that trustee boards can undertake to establish a robust cyber-security framework. The Pensions Regulator has issued guidance that states you should:

  • Ensure you have sufficient understanding of the cyber risk: your scheme’s key functions, systems and assets, its ‘cyber footprint’, vulnerabilities and impact (and then update your risk register accordingly)
  • Introduce appropriate controls to mitigate key risks and regularly review the risks.
  • Get regular information security training.
  • Manage your suppliers.
  • Have an incident response plan.
  • Test your controls, processes, and response plan regularly. You should be regularly updated on cyber risks, incidents, and controls, and seek appropriate information and guidance on threats.

You can find more about this guidance on the Pensions Regulator site here. We strongly recommend that trustee boards get appropriate training and implement both a cyber security policy and incident response plan to best protect their scheme and their members.

What is Quantum doing?

We continue to work with Trustee boards regarding the security of their data and provide training on how to implement a cyber security framework, keeping data safe and how to respond when the worst happens.  We also run “cyber warfare” sessions which take trustees through a simulated data breach in a controlled environment to allow them to question approach and gain vital experience should the worst occur. If you are interested in attending any of these training courses, click here to read more.

About Quantum’s Information Security

We are both ISO 27001 and Cyber Essentials Plus accredited, and the firm takes a risk-based approach to managing information security.  This approach is audited externally several times per year.

Quantum continues to develop its Cyber Security defences, in line with the Continual Improvement process established under ISO 27001, to meet the ever-evolving threat landscape.  If you have any questions regarding Quantum’s cyber security preparedness, controls or approach then please email us info@qallp.co.uk