Frequently asked questions

You may have seen in the news that Capita, who are the administrator of the AXA UK Group Pension Scheme (the "Scheme"), have experienced a cyber incident. Capita have been investigating this incident and we have been working with them to monitor the situation.

Unfortunately, Capita have reported to us (the Trustees) that our Scheme is among those pension schemes that are affected, because members' personal data was held on Capita's IT systems that were affected by the cyber incident. This means that personal data that Capita processes on behalf of our Scheme has been part of the data that has been taken from them as part of the cyber incident.

We have been notified that data relating to people who are receiving pensions from the Scheme has been affected.  If you're not currently receiving a pension from the Scheme, we have not been notified that your data is impacted but we will keep you informed of any developments.

The data that is potentially at risk is: name, member unique identification, National Insurance number, pension in payment, tax code, tax paid and other deductions where applicable. For a smaller proportion of those affected, date of birth, date of retirement, date pension stopped and, in a very small number of cases, address and certain bank details, may also be at risk. We have been contacting everyone who is affected to confirm the position that applies to them personally.

Capita have now completed their detailed internal investigation and notified the Trustee of the outcome on Friday 2nd June. These investigations are being reviewed by an external party. Capita does not expect to announce any further at-risk data; however, we will update the article on our Trustee website if there is a further update (and we will also inform members directly again if there are any further relevant developments to report that affect them personally).

We have an incident response plan for situations like this, and we are proactively working with Capita and professional advisers on our next steps. We have been gathering required information and taking the further steps necessary for us to be able to contact affected members directly, as quickly as we could, to provide more information and guidance, including sources of further assistance.

The Scheme’s Trustee has also notified the Information Commissioner’s Office (ICO) of a data breach and also notified The Pensions Regulator, in line with legal requirements. AXA UK is keeping other regulators updated as needed.

Affected members have been given an option to take out a free 12-month membership of an Experian fraud monitoring service. Relevant details as to how to access this service are included in the letter from the Trustee.

We have arranged for further resources to be added on the Scheme member helpline (0370 1234 701). Also, Experian have increased their resource on their technical helpline which is supporting the implementation of the Experian service. A significant number of members called in to make in enquiries on Monday 5th and Tuesday 6th June, but the number of calls has since reduced. We are sorry if you have needed to queue to get through on the phone.

We understand from Capita that the incident arose following initial unauthorised access on or around 22 March which was interrupted by Capita on 31 March. Capita made a formal notification to the stock market on 3 April noting that there was some evidence of a limited transfer of data from their servers and that Capita were investigating the data breach to identify those that were impacted. On 17 May, Capita first informed the Trustee that some Scheme data was at risk. We were informed that additional data was at risk on 2 June.

In the period up to 2 June, Capita were still carrying out their internal investigation to check for any impacts on Scheme data, and we kept in regular contact with them so that we could update members as quickly as possible if there were any relevant developments.

Following each of notifications (on 17 May and 2 June), we’ve needed to gather further information and take the steps necessary to contact members as quickly as we could. We needed to work with Capita to obtain additional information in order to be able to identify and write out personally to everyone who is affected in each case. We also obtained the details necessary for accessing the Experian service. It has taken a little time to check the affected members and then print and post the letters, but we did this as quickly as we could.

Capita is still in the process of providing the Trustee with details as to the outcome of their internal forensic review. The Trustees will be seeking to confirm exactly how this incident occurred, to understand the lessons learned from this incident, and identify security improvements which can be made to better protect personal data.

It is important to note that we have had assurances from Capita, that the Cyber issue does not relate to Capita’s Hartlink or Hartlink online portal (the core administration system and attaching on-line tool). We have been informed this administration platform is encrypted.

The Trustee has been fully supported by AXA UK’s Business Continuity and Data Protection/Privacy Teams to ensure we are closely monitoring the position and also conducting checks to help determine if any AXA data has entered the dark web.

Capita have publicly stated that they have restored impacted services. Capita have confirmed to the Trustee that they have received independent assurance from third party IT experts that Capita’s systems are secure and robust again.

Capita have confirmed to the Trustee that they have received independent assurance from third party IT experts that Capita’s systems are secure and robust again.

We will provide further updates as needed if there are any additional relevant developments to report in relation to the Scheme.

In 2022, an external consultancy firm, commissioned by the Trustee, performed a review of Capita’s systems, specifically in relation to cyber security. In addition, the AXA IT security team undertake periodic reviews of Capita’s systems.

The current intention is that the membership would expire after 12 months. Capita has been advised by its third-party experts that 12 months of monitoring is in line with market standards. We can reassure you that the Trustee will keep this position under review.

Experian is an established business, offering a service which you may find useful, as outlined in our letter. Whilst we strongly encourage you to consider taking advantage of the free 12-month service, you do not have to do so. Experian’s approach to data privacy is set out on their website www.experian.co.uk/privacy/privacy-and-your-data.

It is possible to request a ‘Statutory Credit Report’ from Experian.

• This is a one-off report of your credit file.
• You can apply for it via post.
• This is offered Free of Charge.
• It is a one-off report on a particular date, so it does not provide ongoing monitoring against Fraud

To obtain a one-off copy of Experian will require the following details:

• Member’s full name
• Date of birth
• Address history for the last 6 years

You can apply for your Statutory Credit Report by post by filling in the application form (Statutory Credit Report application form (2).pdf) and sending it to the address below:

Customer Support Centre, Experian Ltd, PO Box 8000, Nottingham, NG80 7WF

It usually takes up to 7 working days for your report to arrive. It may take longer if they require some more information to verify your identity.

The Experian monitoring service does require internet access and an email address, but we appreciate that not everyone will have these. Accordingly, Experian will allow you to let someone else set up and use the Experian service your behalf. For example, you could ask a trusted family member, friend or third party to do this; and many public libraries offer free internet access. If you ask someone else to use the Experian service for you, and they want to contact Experian on your behalf, Experian will ask them to provide evidence that:

1. you have provided your consent for them to contact us on their behalf (e.g. by asking to speak to you); or
2. they have Power of Attorney, Deputyship or similar legal authority where you are unable to provide your consent for them to contact us on their behalf.

If you have further questions on this, or any particular accessibility requirements relating to Experian, there is a specialist number to call. The people there can provide more detail about the service and how it works. That phone number is 020 8090 3696. They are open Monday to Friday, 8am to 6pm.

For UK based pensioners. If you are at higher risk of fraud, Experian can add protective CIFAS (Credit Industry Fraud Avoidance System) registration to your Credit Report which can help prevent credit being taken in your name.

CIFAS can be applied free of charge through your Identity Plus membership. Please note CIFAS may not be available overseas.

Experian have advised that this service isn’t applied by default because it does add additional security checks when applying for credit, meaning some people prefer not to use it. If you have or will shortly have legitimate credit applications going through, being on the CIFAS register may impact the lending approval criteria, so it’s important you think about whether you are making any credit applications before you set up CIFAS.

To activate your CIFAS registration, please contact the Experian Product support team on 020 8090 3696. They are open from Monday to Friday between 8am and 6pm.

If you want to find out any further information around CIFAS you will find this information here www.cifas.org.uk/pr. If you do wish to take this complimentary service please contact Experian and not CIFAS direct.

We recommend that members sign up to Experian’s monitoring service, as this will help to reduce the risk of any loss. However, if you believe that you have suffered a loss as a consequence of this incident, you can use the existing procedures to raise a complaint, detailing any loss incurred. We would give appropriate consideration to any such complaint and would expect Capita to do the same.

We would remind our members to be extra vigilant for unusual activity on their accounts, including suspected phishing emails, and other potential scams and/or fraudulent activity.

Have a look at the Government National Cyber Security Centre’s guidance on data breaches. We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with.

• If you receive a suspicious email, you should forward it to report@phishing.gov.uk
• For text messages and telephone calls, forward the information to 7726 (free of charge).
• For items via post, contact the business concerned.
• If there are any changes to your National Insurance information, HM Revenue & Customs would contact you – but you can also phone them on 0300 200 3500.

If you think that you may have been the victim of a scam, or that someone has attempted to carry out a scam, there are a number of things you can do:

• Get in touch
  If the scam relates to your Scheme benefits, please contact Capita on 0370 1234 701 or at AXA-pensions@capita.com
  
  
• Report it
  You can make a report to Action Fraud (the National Fraud & Cyber Crime Reporting Centre) on 0300 123 2040 or at actionfraud.police.uk

You may wish to consider whether you tell the bank that your personal data is potentially at risk as a result of the Capita data breach and that they should be on alert as to any unusual activity on your account. The Trustee will provide further guidance in letters issued personally to affected members.

Yes, we have reported this to the ICO and will work with them to address any queries they may have.

Yes. We have been keeping The Pensions Regulator up to date about our response to this incident.

Yes. Whilst this incident relates to Scheme data and not AXA customer data, AXA UK has been keeping its regulators updated.

As with all of the Trustee's service providers, Capita's performance is monitored and reviewed. The Trustee will take onboard feedback received in relation to the Capita contract.

Capita has stated that it expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment. The Trustee does not have any further information as to how this figure was calculated by Capita.

If you believe you are entitled to a pension from the AXA UK Group Pension Scheme, it is best to contact the administrators, who can check their record and arrange for information to be provided to you.

You can find out how much you pension is worth by logging in to your online account at www.hartlinkonline.co.uk/axa-employeebenefits. If you’ve not logged on before, you might find our guide on how to register helpful. You can download it here.

Your online account will provide an overview of what happens to your benefits if you die.

Your next of kin will need to contact the administration team to let us know so we can stop payments and arrange any spouse or dependant’s pensions to be paid. Please call us on 0370 1234 701 if you need to arrange this.

You can download a copy to complete from your online account at www.hartlinkonline.co.uk/axa-employeebenefits, or contact the administration team.

The earliest age you can take any pension is age 55 (this will increase to 57 in 2028). The earliest you can take your defined benefit pension without it being reduced for early retirement is known as your normal retirement age. Your normal retirement age will depend on which section you were in. Your online pension account will tell you the right date for you.

The administration team will contact you automatically six months before your oldest normal retirement age (if you have more than one). If you want to retire early and are over age 55, contact the administration team for a retirement pack.

Yes, you can, but if you want to move it to a defined contribution type scheme, you will need to take financial advice if the capital value of your benefits is more than £30,000. Please contact the administration team if you want more information about transferring your pension.

If you think your pension has been calculated incorrectly, please contact the administration team. If you think your tax has been calculated incorrectly, you will need to contact HMRC.

All your payslips and P60s are available in your online pension account at www.hartlinkonline.co.uk/axa-employeebenefits. If you’ve not logged on before, you might find our guide to how to register helpful. You can download it here.

You can update your personal details, including your address and bank details, by logging in to your online pension account at www.hartlinkonline.co.uk/axa-employeebenefits. If you’ve not logged on before, you might find our guide to how to register helpful. You can download it here.

You will need to contact the administration team to let us know so we can stop payments and arrange any spouse or dependant’s pensions to be paid. Please call us on 0370 1234 701 if you need to arrange this.

Your pension will need to be taken into consideration in your divorce proceeding. The Court will provide an Order detailing the proportion of your pension which is allocated to your ex-spouse. For further details please contact the administrators.

There are six Pensioners’ Associations, which together make up the Federation of AXA UK Pensioners’ Associations. The Federation produces a newsletter, Cascade, which has full details of each Association and who to contact to keep in touch.

To get a forecast of how much you’re likely to get in State Pension, please go to www.gov.uk/check-state-pension

To check your State Pension age, please go to www.gov.uk/state-pension-age