About 90 organisations have reported breaches of personal information held by Capita after the outsourcing group suffered a cyber-attack, Britain’s data watchdog has said.
The company, which runs crucial services for local councils, the military and the NHS, experienced the hack, which caused a significant IT outage, in March.
Capita’s systems are used to administer pension funds for several large firms, including Royal Mail and Axa, covering millions of policyholders.
The attack prompted the Pensions Regulator (TPR) to write to more than 300 pension funds to ask them to check whether data had been stolen by hackers.
A second data breach emerged in May when it was reported that the London-based firm had left benefits data files in publicly accessible storage, prompting several councils to say they thought their data had been compromised.
The Information Commissioner’s Office (ICO) said that about 90 organisations had so far been in contact with it over the two incidents.
In a statement, the ICO said: “We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making inquiries.
“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”
As well as administering pension funds, Capita is an important government contractor and holds billions of pounds’ worth of public sector contracts including London’s congestion charge system and disability payment assessment services for the Department for Work and Pensions.
The outsourcing firm said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the cyber incident and we have taken extensive steps to recover and secure the data.
“In line with our previous announcement, we have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business.”
Organisations are required to report incidents to the ICO within 72 hours if they are aware of a data breach.
If a company decides the incident does not need to be reported, staff need to keep a record of it and be able to explain to the ICO why further reporting was not necessary.
Capita said earlier this month that the March hack could cost it as much as £20m.