The city regulator has reached out to Capita’s corporate clients and urged them to determine whether their client data was compromised after a March hack on the subcontractor.
The Financial Conduct Authority said it had written to companies it regulates that outsource work to Capita to ensure they are “fully engaged” in assessing the consequences of data breaches.
Capita is one of the largest suppliers to government, with £6.5bn worth of public sector contracts ranging from running London’s congestion charging system to recruiting soldiers for the army.
The FCA has contacted insurance companies that use Capita for administration, including FTSE 100 firms Aviva and Phoenix Group, as well as annuity providers Pension Insurance Corporation, Rothesay and Just Group, according to the FT, which was the first to report on the watchdog inquiries.
Capita is still dealing with the aftermath of the cyberattack, which caused staff to be abruptly locked out of their systems in late March. The company originally said that it was experiencing IT issues before later confirming that it had been hacked.
The outsourcer, who also collects the BBC’s license fee and runs crucial operations for the NHS, later admitted that data may have been breached during the incident, and that hackers could have gained access to customer details, the staff and the provider. However, he said only a small number of his computer servers were accessed during the attack with “some evidence of limited data exfiltration.”
The FCA said it had “written to FCA-regulated firms that are Capita clients to ensure they are fully engaged in understanding the scope of any data compromises.” He said companies had a responsibility to alert affected consumers if their data had been compromised and to notify regulators, including the Information Commissioner’s Office.
The FCA said: “We are continuing to engage with Capita since their cyber incident was reported to understand the scope of any data compromises and the impact on the companies they provide outsourcing services to, including their underlying customers.”
Aviva told the FT there was “no evidence” that her customer data had been accessed.
On the other hand, the Pension Regulator has asked hundreds of pension funds that use Capita as administrator of their payment systems to study whether the data of their clients is at risk. The Sunday Times reported that the regulator has called for funds to “determine whether there is a risk to data from its scheme.”
Capital shares have fallen 16% since the hack occurred. A spokesman said: “Capita has already confirmed that it continues to comply with all relevant regulatory obligations, therefore establishing and maintaining an ongoing dialogue with the relevant regulatory bodies is nothing unusual.”