Capita may be forced to compensate people exposed to cybersecurity risk after hack 

Pressure mounts against outsourcing firm as legal firms rally affected pension holders and people on benefits to seek justice

Group legal actions are lining up in the aftermath of a massive data breach that rocked the outsourcing giant in March this year, as well as a security incident where unsecured data was found online. Capita is used by a large number of public and private organisations and handles the personal information of millions of people. 

Many company pension schemes are administered through Capita – including those for around 470,000 members of the Universities Superannuation Scheme (USS) and more than 100,000 members of the Marks and Spencer pension scheme (including more than 50,000 pensioners).

The Information Commissioner’s Office – the UK’s data protection regulator – confirmed that it received a large number of reports from organisations and individuals who had been affected by the data breaches. An ICO spokesperson said:

‘We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected.’

Lawsuits looming over Capita on behalf of millions left at risk

A number of group data breach claims have been launched on behalf of people who have been affected by the two Capita data breaches – including those from Barings Law, Hayes Connor, HNK Solicitors, and Keller Postman UK. You might also see Capita data breach claims advertised by claims management companies.

Our table shows the law firms experienced in group litigation who are currently pursuing a Capita data breach claim. We show the fee you will pay if the claim is successful (represented as a % of the damages awarded). We also illustrate each firm’s experience of handling claims like these based on the number of active data breach claims it is currently pursuing.

Legal firm	Success fee1	Data breach group actions
Barings Law	32%	7
Hayes Connor	40%	16
HNK Solicitors2	25%	11
Keller Postman UK	25%	14

¹ Including VAT. ² We had previously said that HNK Solicitors doesn’t have the appropriate insurance to protect clients from being liable for the defendant’s costs. We believed this to be correct at the time of publication but have since learned that it isn’t accurate. We apologise unreservedly.

You could be eligible to sign up to make a Capita data breach claim if you received notification saying that your data could have been put at risk by the attack or security incident. 

Consumer Voice is working with Keller Postman UK to help its team of lawyers raise awareness of its Capita data breach group action. Keller Postman UK is an experienced group action law firm, specialising in consumer representation. It is in The Legal 500 and Chambers & Partners top tier of law firms working in group litigation in London.  

What caused the Capita data breach?

Capita was attacked by the criminal ransomware gang, Black Basta, in March 2023 when it hacked Capita’s Microsoft Office 365 software and stole vast amounts of data including personal information, financial records and sensitive corporate data. Other highly sensitive data – including bank details – could also be affected.

A second data breach was reported by local authorities after benefits data was found unsecured online. This could have left personal data exposed and unprotected by a password since 2016. Capita claims that no personal bank account details were compromised by this data security breach.

Capita cyber-attack to cost firm up to £20m

Capita already expects the bill for the cyber attack to reach between £15m and £20m, covering specialist professional fees, recovery and remediation costs, as well as investment to reinforce its cyber security.

It said its investigations into the incident suggested that some data had been accessed but that this was from less than 0.1% of its server estate and that it had taken steps to secure the data. Capita wouldn’t confirm exactly how many organisations and people had been affected but, in response to the compensation claims being brought against the company, a spokesperson told Consumer Voice:

‘Capita treats cyber security with the utmost seriousness. The company has invested in a multi-year, multi-million-pound cyber security programme which has been accelerated in the wake of March’s cyber incident. Capita has since been praised by external experts for its high level of cyber preparedness, and both UK government and commercial clients have expressed their gratitude over its handling of the incident. Capita strongly rejects any suggestion that there is any valid basis for bringing claims against it as a result of the cyber incident.’

Consumers warned to watch out for scams

The Pensions Regulator issued a warning about pension scams. This is where a scammer tries to persuade you to either transfer your pension savings or release funds from it to another scheme the scammer controls.

Scammers can be very persuasive and knowledgeable, and present credible websites, testimonials and documents that make it hard to distinguish between the real thing. Be cautious if you’re contacted out of the blue, promised high or guaranteed returns, offered free reviews, told you can access your pension before you’re 55 or pressured to act quickly.

You can report a suspected scam to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can also get advice from the consumer helpline of the financial services regulator.

Organisations and companies affected by these data breaches are responsible for the security of their customers’ data. If you have been affected by these breaches, ask the company to explain the likely consequences of the breach and what it is doing to protect you. You can take any concerns you have to the Information Commissioner’s Office.