Subscribe to the daily newsletter.

Manchester law firm launches class action against Capita over data breach


A class action law suit has been launched following what lawyers have called one of the “biggest data breaches this country has ever experienced.”

Capita suffered a cyber-attack in March, with up to 90 organisations reporting breaches of personal information held by the firm. Those organisations include Royal Mail and Axa meaning potentially “millions of people” could be impacted.

Manchester-based Barings Law said it had now officially initiated legal proceedings against Capita.

So far, it has signed up 250 people who suspect their personal data may have been compromised by the breach. They say they are now fielding “30-40 enquiries a day” including from local councils.

“This could be one of the biggest data breaches this country has ever experienced,” said Adnan Malik, Barings Law’s Head of Data Breach.

“We’re receiving a staggering number of enquiries which is why we’ve officially launched legal action. The number of clients we’re signing up is growing every day, which shows how big this is.

“A lot of people who have been paying into their pension for years are really worried they’ll have nothing when they retire.

“The hackers have their home addresses, email addresses telephone numbers and even the amount of money they have in their pension pots. They have everything they need to gain access to accounts so it’s a very serious situation.

“Aside from people’s pensions being affected, the testimonies from our clients reveal some very concerning details ranging from potential huge financial impact to highly sensitive details being compromised.”

Barings said their own investigations had shown hackers could have had access to passports, emails and home addresses, plus there was evidence of unauthorised activities such as Just Eat being placed on their bank accounts.

Following the incident, The Pensions Regulator made contact with more than 300 funds, to find out whether their personal data had been compromised

Malik added:

“While we acknowledge that Capita were themselves victims of a cyberattack here, their financial resources are such that the £20m they’re forecasting this will cost them, is not that significant in the grand scheme of things.

“Unfortunately, the same can’t be said for our clients, who’ve worked extremely hard all their lives to be told they might now lose everything.

“The legal action from Barings Law sends a powerful message that data breaches carry significant consequences and that companies must prioritise it. It serves as a reminder to organisations to take appropriate measures to safeguard personal data and prevent similar incidents in the future.”

At the time, a spokesperson for the Information Commissioner’s Office said:

“We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries.

“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”

Capita said that the “unauthorised intrusion” was interrupted and resulted in the impact of the attack being “significantly restricted.”

After carrying out its own forensic work and using third party providers, it said that “some data was exfiltrated from less than 0.1% of its server estate.”

“Capita has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident.”

It expected to incur exceptional costs of approximately £15m to £20m associated with the attack, this comprised of “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.”

The company added that it had taken further steps “to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments.”


Related News