Diageo pension fund members caught up in Russia-linked Capita cyberattack

Diageo’s pension scheme has warned some of its members that a file containing sensitive personal information, including their national insurance number, home address and date of birth, had been impacted as a result of what Capita has described as a “cyber incident”.

Although the security breach took place in March, details of those organisations and pension funds that were affected are still coming to light. Diageo, which has tens of thousands of members of its pension scheme, is the latest example.

In a letter sent to one scheme member, Diageo’s pension trust explained Capita, the scheme’s administrator, had initially told the drinks giant about the incident at the end of March. However, it was not until five weeks later that it confirmed that personal information may have fallen foul of the Russian-linked attack.

The letter states: “During the course of April, Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it. However, on 3 May, Capita told us that it is likely a file containing your data had been compromised.”

The letter goes on to state the member, from Scotland, is being offered a complimentary 12-month membership to Identity Plus via Experian, a service that helps detect possible misuse of personal data.

Capita declined to address questions over how many of Diageo’s pension fund members had been impacted by the attack. It had 32,658 members in 2022, with net assets of £6.8 billion.

At the weekend, the Universities Superannuation Scheme (USS) said the details of around 470,000 of its members had been potentially accessed during the attack. It has reported the incident to the Information Commissioner's Office, the Pensions Regulator and the Financial Conduct Authority.

A group of Russian hackers known as Black Basta has claimed responsibility for the attack. Last week Capita said it expected to incur up to £20 million in costs associated with the incident, comprising specialist fees, recovery and remediation costs, and investment in its online security measures.

A Capita spokesman said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data.

“In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so.”

A spokeswoman for Diageo said: “We have been contacted by Capita and informed that the data of certain members of the Diageo pension scheme in the UK may have been compromised. We have written to those members to assure them that there has been no impact to the Diageo pension scheme and that their benefits are safe. We are providing support to our members and are seeking assurances from Capita that their systems and practices have been updated.”