Thousands of pension holders to sue Capita over ‘Russia-linked’ hack

More than 5,000 pension holders are suing Capita after retirement savings data managed by the outsourcer was stolen in a hack by suspected Russia-linked cyber criminals.

Lawyers representing the group said they had filed a claim under UK data law at the High Court against Capita on Friday.

It is the first such litigation following last year’s cyber attack. The law firm acting for the claimants estimated the case could be worth up to £5m. Capita has said it does not believe there is “any valid basis” for bringing a claim against it.

Hundreds of thousands of people were told their data may have been exposed by the hack on Capita, which came to light in March last year and hit its pensions business.

Funds impacted included the Universities Superannuation Scheme, the biggest private pension pot in Britain with almost half a million members.

Other major schemes affected include Marks & Spencer, which has more than 100,000 members, and drinks maker Diageo.

Some pensioners were told that their information including national insurance details and addresses may have been stolen as part of the cyber attack.

The Manchester-based law firm Barings, which is representing the claimants, said it had been receiving up to 50 enquiries per day about the cyber attack.

Adnan Malik, the firm’s head of data breach, said: “Our High Court action speaks volumes, echoing the concerns of thousands of distressed individuals.”

Other law firms have said they are planning further group actions against Capita over the cyber attack.

On March 31 last year, Capita suffered a “cyber incident” that disrupted its operations. It later warned many of its pension scheme customers, which used Capita’s administration services, they may have been impacted by the attack.

Last summer, Capita said the fallout of the cyber attack could cost it up to £25m. Capita’s shares have fallen almost 50pc since it first disclosed the attack in April last year, giving the group a value of around £340m.

Cyber security experts blamed the breach on Black Basta, a Russian ransomware hacking group that has unleashed a wave of attacks against Western companies.

The gang has successfully extorted $100m (£78m) from victims since it emerged in 2022, according to cryptocurrency analytics company Elliptic.

Black Basta has attacked more than 329 organisations, the researchers said, typically using computer malware that infects victims’ computers through emails.

In a report in November, Elliptic said: “The group employs double-extortion tactics whereby they extort the victim by threatening to publish stolen data unless the victim pays a ransom.”

Capita has not commented on whether or not it paid a ransom to the attackers.

While the hack impacted its pensions arm, IT outsourcer Capita also holds billions of pounds in public sector contracts, including deals to collect licence fee payments for the BBC and providing training to the Royal Navy.

At the time of the attack, Capita said around 0.1pc of its server estate had been impacted by the breach and it had blocked access to its Office 365 applications. The company said the attack had been “significantly restricted” after it was discovered and that there was only evidence of “limited data exfiltration”.

Capita said in August the exposed data was later “recovered” and made secure.

A Capita spokesman said: “There is no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity.

“Whilst we don’t comment on specific ongoing legal matters, we strongly reject any suggestion that there is any valid basis for bringing a claim against Capita. We hold and process data in compliance with all applicable laws and regulations.”

Capita previously said it had invested in a multi-million pound programme to upgrade its cyber security systems, which it had accelerated in the wake of the hack last March.