M&S and Diageo pension schemes exposed in Capita hack

And that’s just the tip of the iceberg…

M&S and Diageo pension schemes exposed in Capita hack

If you have a pension scheme with Marks and Spencer or Diageo your personal details may have fallen into the hands of hackers.

The problem is that supermarket giant M&S and drinks firm Diageo used Capita to administer its pensions, just like hundreds of other private-sector retirement schemes.

According to Capita, hackers initially broke into its systems around 22 March 2023 and were not spotted until the end of the month. In the meantime, the company says, attackers stole data from “the small proportion of affected server estate which might include customer, supplier or colleague data.”

Bad news for Capita.

Bad news for companies like M&S and Diageo who trusted Capita to look after their data.

And bad news, of course, for the more than 100,000 pension holders whose details may have been stolen by the hackers.

Sign up to our free newsletter.
Security news, advice, and tips.

And if you thought this was bad, it’s just the tip of the iceberg…

After Capita made news of its security breach public, the UK’s pension watchdog urged hundreds of pension funds to investigate if their client data might have been compromised by the attack.

Not long afterwards, USS (Universities Superannuation Scheme) – the UK’s biggest private sector pension plan – warned that around 470,000 of its members may have had their details accessed during the Capita hack.

According to USS, details that may have been accessed included names, dates of birth, national insurance numbers, and USS member numbers.

USS said that Capita was unable to confirm currently that the data had definitely accessed by the hackers, but that it would be sensible to assume that it was.

Capita, which is used widely by the UK government, NHS, and many British organisations, has found itself in the very uncomfortable position of having to field a barrage of complaints from its clients.

Earlier this month, for instance, Colchester City Council publicly expressed its “extreme disappointment” with Capita as it sought to fully understand how Capita’s data breach had occurred, as well as any further action required.

Colchester City Council says that it is “considering what further action may be appropriate regarding Capita.”

Other councils who have reportedly had their data exposed by the Capita hack include Adur and Worthing, Coventry City Council, Derby City Council, Rochford District Council, and South Staffordshire.

Capita has declined to say whether it is prepared to pay a ransom to the hackers in the hope that it might prevent the data from being released more widely.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.