back to article Britain's largest private pension scheme reveals scale of Capita break-in

Universities Superannuation Scheme, the UK’s largest private pension provider, says Capita has warned that details of almost half a million members were held on servers accessed during the recent breach. The USS made the disclosure today, saying that it uses Capita technology platform, Hartlink, to manage in-house pension …

  1. VoiceOfTruth

    I will believe it when...

    -> “reputational damage for a key supplier to critical UK government services such as Capita is likely far greater.”

    A contract that was outsourced to Capita is cancelled on those grounds. Or, when some large public body rejects a tender from Capita on those grounds. Or, when HM government, in general, rejects Capita from bidding with those ground stated for disqualification.

    Three options. My tarot cards offer no such prediction.

    1. Yet Another Anonymous coward Silver badge

      Re: I will believe it when...

      You forget it's binary.

      Every time they fsckup the "don't deal with these idiots again" bit is flipped, and the next time they fsckup the bit is cleared.

  2. steviebuk Silver badge

    Here...

    ...you are Crapita. We've seen your recent break in but here's another multi million pound government contract. Cause we're too fucking lazy to do a new tender process cause we know we'll just pick you anyway. Yours Clueless UK Gov.

    1. Anonymous Coward
      Anonymous Coward

      Re: Here...

      Tender process:

      Q1. To avoid the risk of your company failing to be able to deliver this contract, do your annual revenues meet or exceed Crapitas?

      Q2. Are you an existing supplier and can therefore skip any competence tests?

      Q3. Are you willing to provide the lowest cost bid, knowing that you can more than make up for it with scope changes

      Q4. Do you have multiple board members who make generous donations to political parties? Bonus points for supporting multiple parties to avoid being caught out by pesky elections.

      Q5. Do you have and easy to hate PR spokespeople that can be wheeled out in front of the public to divert attention for any failures on the part of the government, the bureaucracy or you company?

      Please submit your tender documents in envelopes large enough to support your tender submission and enough Bank of England padding to ensure the submission is not damaged in transit.

      1. Anonymous Coward
        Anonymous Coward

        Envelopes? Surely Not!!

        Quote: "......in envelopes large enough to support your tender submission......"

        Not really big enough!! Multiple Fortnums shopping bags will hit the spot though!!

        Oh.....and the padding needs to be in US greenbacks.......best to use the $50 type!!!

        1. MachDiamond Silver badge

          Re: Envelopes? Surely Not!!

          "Oh.....and the padding needs to be in US greenbacks.......best to use the $50 type!!!"

          The $100 bill is the universal currency of bad shit. Are fifties even still in circulation?

      2. katrinab Silver badge

        Re: Here...

        Serco might be able to meet those criteria?

    2. Anonymous Coward
      Anonymous Coward

      Re: Here...

      Maybe if the Gubermint actually employed and nurtured talent in-house, they wouldn’t need to outsource.

      Outsourcing is another way of saying “we have no clue” and need outside help.

      The Gubermint, you know, the supposed intelligent people running whole countries.

      Nepotism strikes again

      1. Herring` Silver badge

        Re: Here...

        If you nurture in-house talent then they might get ideas above their station. If you get rid of 1,000 civil servants and replace them with Capita people who know nothing and are 4x the cost, you can pretend you've saved money at the same time is putting fear into the minds of other civil servants

      2. Anonymous Coward
        Anonymous Coward

        Re: Here...

        >actually employed and nurtured talent in-house, they wouldn’t need to outsource

        We (sort of Government) brought stuff back in-house at the last cycle (we still tender out desktop support and network provision because those require resources we don't have). Bringing our infrastructure support back in-house saved us huge wedges of cash - enough to have 5 full-time people looking after stuff on a partly-rota basis.

        Stuff gets done more quickly, end users are happier, everyone wins (apart from the outsourcers).

        We've used Capita in the past. I'd like to say thatt they were the worst people we've dealt with but, sadly, there are a lot of ex-Capita managers out there in various outsourcers who seem to have the career goal to perpetuate the Crapita methodology elsewhere.

        Hint to outsourcers - pricing the standard service at below the cost to run it and then hoping to make up the difference through vastly inflated 'project' fees is not a viable business method, especially when dealing with an experienced service management team who have seen it all before. Also, please don't try the old trick of closing calls before the KPI report then re-opening them afterwards - you'll find you owe us copious service credits because we know about that little trick and wrote it as an addendum to the contract..

    3. hoola Silver badge

      Re: Here...

      It is not as simple as that.

      The tender process is a complete minefield of regulation in what you can and cannot do.

      These huge frameworks that are in place with "call-off" are way to attempt to work around some of this but actually make things worse.

      Ironically much of the regulation around tendering is filtered down from the EU with the best of intentions but has just turned into a bureaucratic nightmare. The sole purpose of tendering now it so prove that you have been through a process to prevent unsuccessful responses from suing.

      That most of the successful responses are useless is a minor retail. Caveats in terms of turnover, previous contracts blah, blah all favour the same few useless corporations that have only got to that point because 20 years ago they bid for a tender or two.

      If you want to fix this then tonnes of process has to be zapped and replaced. That will take years because it is such a mess and all the people on the frameworks will howl with outrage as their gravy train stops.

      Equally there has to be a cultural change in the writing of the ITT and so on. So much of this is driven by legal, finance and procurement teams because that is where the actual responsibility is when unsuccessful responses decide to sue. The actual technical suitably and ongoing accountability once a tender is awarded is a minor insignificance.

      1. Anonymous Coward
        Anonymous Coward

        Re: Here...

        >The tender process is a complete minefield of regulation in what you can and cannot do.

        This is true. Even writing the spec so as to apply to a very limited set of companies (one is a very limited spec) can get you in trouble if one of the competitors decides to challenge the requirements.. Even a bog-standard request will see the unsuccessful bidders calling for a review - which *has* to be responded to, wasting more time and effort.

        However, we do have 'industry reputation' as one of our criteria. It's amazing how many companies step back when they discover that clause.

  3. IGotOut Silver badge

    Please...

    Get the 10% of annual turnover off these clowns.

    Oh I forgot, the government will pay them £20billion to set up the excel spreadsheet required to collect it.

  4. Nifty

    "National Insurance number and US member number". Now I'm confused as to how these 2 items are in the same database.

    1. anothercynic Silver badge

      Because those running USS are idiots?

    2. Doctor Syntax Silver badge

      Let me hazard a guess ast to how "US" gets expanded in this instance: "Universities' Superannuation".

    3. plunet

      It's the humans that are insecure here

      It seems that it's not the actual pensions system/database that was compromised but some fileserver used by Crapita to do admin tasks on the pensions system. It appears this fileserver had various dump/export files from the pensions database for various clients probably used for massaging data and bulk updates, the problem is that they were left lying around and were not encrypted...

      1. Jonathan Richards 1 Silver badge
        WTF?

        Re: It's the humans that are insecure here

        Indeed, I came to ask if anyone knew how, if Hartlink was not breached, that USS members' data had been compromised? I'm pretty sure that dumping/exporting from a secure database will constitute a breach of the contract that USS has with Capita which, you know, might specify how the data are guarded in line with the GDPR? I think I can hear the sound of knocking on m'learned friends' office door even now.

      2. anothercynic Silver badge

        Re: It's the humans that are insecure here

        Irrelevant of what happened... the data was (possibly) exfiltrated. According to the USS press release to its members, Crapita has told USS to consider the data exfiltrated until specifically told otherwise, and to warn all their members that are affected of this.

        Of course, no offer to pay for fraud monitoring (should exfiltration have occurred) has been forthcoming from Crapita.

        1. CrazyOldCatMan Silver badge

          Re: It's the humans that are insecure here

          Of course, no offer to pay for fraud monitoring

          Which is basically pretty useless anyway.

          One hopes that the ICO actually grows a backbone and starts hitting Capita with the sort of fines allowed under the GDPR.

    4. Jim Whitaker

      There is an "S" missing.

  5. anothercynic Silver badge

    Can't wait...

    ... For the information about this. No doubt the UCU union will have an absolute field day given that this pension fund holds the pensions of every lecturer and every member of staff of every classic uni (and many research orgs) in the country. Well done, Crapita, well done. I guess the next evaluation will be lower still to hide the fact that this happened instead of recovering any damages from Capita, and all that'll be offered will be a year's fraud monitoring.

    1. Jonathan Richards 1 Silver badge

      Re: Can't wait...

      > pension fund holds the pensions of every lecturer and every member of staff of every classic uni ...

      Dead right. I paid into a pension administered by FSSU, (USS predecessor) and I've never been a university staff member (lucky escape for tertiary education).

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't wait...

        As they say - you don't have to be clever to work in a university. As with every other organisation there are jobs for many different skillsets.

    2. lybad

      Re: Can't wait...

      Not quite all staff. Membership is only open above a certain pay grade. And if you were part of an institution that got absorbed by another you could still be in an alternate pension scheme.

      1. anothercynic Silver badge

        Re: Can't wait...

        *Now* it's only open above a certain pay grade. In the golden olden days, everyone was on it :-)

  6. spold Silver badge

    All your pension books are belong to us

  7. Paul Johnston
    FAIL

    Count me in!

    Just got an email from USS saying that they are sorry but they are confident in their robust procedures.

  8. Missing Semicolon Silver badge

    £20m?

    Tens of pounds per person. That does not cover very much does it?

    They should actually pay for fraud insurance for each victim. Which would I suspect cost rather more.

    1. Anonymous Coward
      Anonymous Coward

      Re: £20m?

      USS: "We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with."

      If I'd known USS were handing personal details on to Crapita, maybe I'd have done differently. Oh wait, I didn't get the choice.

  9. Anonymous Coward
    Anonymous Coward

    Maybe they've changed?

    I worked for one of Westminster City Council's education services in the early 00s and we took over the IT support on a couple of small Capita sites. XP had been out a few years and their desktops were still on NT, no biggy I suppose, but we upgraded them to XP... we looked after them for 2-3 years (maybe more) at which point they needed to bring them back under their control (a change in Policy). At that point XP had been out I'd say at least 4 years and they downgraded the dekstops back to NT... Bearing in mind XP wasn't released until 2002, I'm pretty sure it was close to or past to the end of support date for NT4 of Dec 2006 at that point (which was extended from 2004 for the public sector). This was my main interaction with Capita in the 7 years I worked for WCC (other than the occasional helpdesk ticket we had to submit for integration changes, which was always a real eye roller of an experience).

    I'm sure things have changed a lot in 20 years and this then, already complacent monster of a company, is now super agile and well thought of.

  10. Anonymous Coward
    Anonymous Coward

    Get hacked now

    Avoid the rush!

  11. R Soul Silver badge

    Another fucked up outsource provider?

    What cesspit did this Capita crawl out from? Are they some sort of spin-off from Crapita?

  12. Duffaboy

    I have always wonder why people do business with them.

    I

  13. Roger Kynaston
    Unhappy

    stuck record

    Shirly (again) it is time that decision makers did a proper due diligence (again) when assessing who might be a good outsourcing partner (again) and not give the work to the same old pile of shit companies (again).

    I shall await the email saying that sadly, my data was amongst that which was stolen/exfiltrated/encrypted/lost and that USS will do it's utmost to help but cannot be held responsible for this (again). I'll also wait for the avalanche of phishing emails of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: stuck record

      "Dear USS Member,

      I'm writing to remind you about the opportunity to meet with the USS Trustee Board and Executive next week. ..."

      Memo to self: get popcorn.

  14. ComicalEngineer

    Crapita strikes again.

    I'm a former member of USS and my son is a current member so I have a dog in this fight.

    Another absolutely disgraceful debacle from Crapita -- should we expect anything else? Personal opinion is that it's time that companies and especially the UK government stopped outsourcing to this bunch of incompetents and secondly that Crapita was broken up.

    In the last few years I've watch Crapita screw up several defence projects, the tagging service, NHS IT systems, British Army recruiting and destroy a perfectly good IT company that they bought and screw up various local government contracts. Oh, and a rail franchise.

    Google "capita army recruitment problems" if you want a typical run down on project mismanagement.

    1. WorsleyNick

      My brother receives one of his pensions from USS and has received a letterfrom USS. It includes an offer for 1 year free use of Experian. Apart from the complexity of accepting the offer he gave up when he realized that he was being asked to put even more personal information up onto the Experian system than had previously on the USS system.

      That would put him even more exposed waiting for Experian to be hackked.

      The very very commonalty of outsourcing sensative data to fewer and fewer service suppliers must be making hacking more and more potentially lucrative and therefore more likely. If one hack will get you the whole of all NHS personal datamust make it more likely to happen than if each individual hospital and doctor's systems have to be hacked.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like