Frequently asked questions

  • Cyber incident

  • What has happened?

    You may have seen in the news that Capita, who are the administrator of the AXA UK Group Pension Scheme (the "Scheme"), have experienced a cyber incident. Capita have been investigating this incident and we have been working with them to monitor the situation.

    Unfortunately, Capita have reported to us that our Scheme is among those pension schemes that are affected, because members' personal data was held on Capita's computer systems that were affected by the cyber incident. This means that personal data that Capita processes on behalf of our Scheme has been part of the data that has been taken from them as part of the cyber incident.

    We understand that the incident predominantly affects data relating to people who are receiving pensions from the Scheme. If you're not currently receiving a pension from the Scheme, we understand only a very small group is impacted.

    We have been contacting everyone who is affected, with the latest letters issued at the beginning of May 2024, to confirm the position that applies to them personally.

  • Why does the May 2024 Trustee letter say that a follow up letter will be issued in September, when my Experian account will lapse before this date?

    If you received our May 2024 letter and are not already signed up to Experian, but you now wish to do so, please use the voucher code set out in our May 2024 letter.

    If you were already signed up to Experian when you got our May 2024 letter, we do need to ask for your patience and cooperation in waiting until September 2024 before using a new voucher code – and we will write to you then to confirm what your new voucher code will be.

    This is because we've been told that you cannot use a new voucher with Experian until your existing membership has expired, and trying this could cause error messages and frustration for you. As your membership of Experian is confidential to you and Experian, we do not know (and they cannot tell us) whether any particular person has signed up or not at present. We therefore included codes in our May 2024 letters for everyone, to be on the safe side in case you hadn't already signed up. We do appreciate this means some people won't be able to use the May 2024 codes because they already have an existing account. By September 2024, all existing sign ups should have cleared (as the expiry of the original Experian code issued in May 2023 was 31 August 2023) and so nobody should then have any problems using new voucher codes.

    This may mean that for some people, the coverage will lapse for a short period before September 2024. The advantage is that in these cases resumed membership will then run later on until at least September 2025 (assuming you choose to immediately sign up again). It is important to note that the Experian service does look backwards, so members who sign up again in September 2024 will still be able to look at any activity that happened during any period while their account was lapsed.

    However, if you are concerned about having a gap in the coverage, and you decided to sign up very soon after the original letter was issued in May 2023, its worth noting that the expiry date of the Experian code issue in the May 2024 letter is 31 July 2024. So one option potentially available is to choose to activate this new code in the May 2024 letter, once your current free 12 month Experian membership has expired and before 31 July 2024.

  • Could any more of my data be at risk?

    The affected data has now been subject to an internal review by Capita and a thorough external check by an independent third party appointed by Capita to verify that all affected people and data have been identified. Both these reviews are now complete and so we understand that Capita do not expect to have to announce that any other Scheme data is at risk. We have written directly to all impacted members to explain how they are affected personally.

  • What immediate actions did the Trustee take?

    We have an incident response plan for situations like this, which we launched as soon as we were notified about the incident.

    The Trustee's initial priority was to understand what data was taken and to contact affected members directly, as quickly as we could, to provide more information and guidance, including sources of further assistance.

    The Trustee also notified the Information Commissioner's Office (ICO) of a data breach and also notified The Pensions Regulator (TPR), in line with legal requirements. AXA UK is keeping other regulators updated as needed.

  • What is the Trustee doing now?

    The Trustee takes the security of data very seriously and our incident response process remains open while we review what happened and the remedial actions taken. This means the Trustee's Incident Response Team is currently progressing a number of key actions on behalf of the Trustee and members, in order to provide increased assurance as to the security of data. This includes an enhanced IT security review. Capita are also commissioning an external audit of their response to the Cyber incident and arranging for an external penetration test of Capita’s IT perimeter.

  • What assistance is the Trustee providing?

    Affected members were given an option to take out a free 12-month membership of an Experian fraud monitoring service. We are reassured that many affected members chose to take this up.

    Following the results of the recent external review and member feedback, the Trustee has now decided to meet the cost of issuing new Experian codes to those affected members who have not previously signed up for the free Experian service. The intention is also to write to those members who had originally signed up for the Experian in September 2024 to extend their membership by a further year. The Trustee's letters to affected members include relevant details as to how to access this extended service.

  • If I have a query can I speak to someone and will they be able to take my call?

    Capita have arranged for further resources to be added on their contact centre. If you have any questions regarding the cyber incident, please contact us at cyberqueries_all@capita.com or 0800 229 4005 (Monday to Friday – 08.30am to 5.30pm).

    A significant number of members called in to make enquiries when the initial communication was issued, and Capita have assured the Trustees that sufficient resources will be able to support members.

  • When was the incident at Capita and could the Trustee have told me any sooner?

    We understand from Capita that the incident arose following initial unauthorised access on or around 22 March 2023 which was interrupted by Capita on 31 March 2023. Capita made a formal notification to the stock market on 3 April noting that there was some evidence of a limited transfer of data from their servers and that Capita were investigating the data breach to identify those that were impacted. On 17 May 2023, Capita first informed the Trustee that some Scheme data was taken. On 2 June 2023 we were informed that some additional data had also been taken.

    In the period up to 2 June 2023, Capita were still carrying out their internal investigation to check for any impacts on Scheme data, and we kept in regular contact with them so that we could update members as quickly as possible if there were any relevant developments.

    Following each of notifications (on 17 May and 2 June 2023), we needed to gather further information (including obtaining Experian codes) and take the steps necessary to contact members as quickly as we could.

    After reviewing the affected data themselves, Capita commissioned an independent third party review to check the data.

    This external check of the affected data by the independent thirdparty reviewer reported back to us in spring 2024 and unfortunately it identified that some new or additional data had been affected. We are sorry that it took a long time to identify this, but the external review was very thorough and so it took a long time. Extensive work was required to finalise the external check of data including the removal of duplicate results. This was monitored and regularly chased by the Trustee and AXA UK. Once we received the completed results of the external check with details of the new and additional impacted data, the Trustee endeavoured to issue communications to affected members as soon as possible.

  • Do you have any more detail about how the cyber incident occurred? Was the data encrypted?

    Capita is still in the process of providing the Trustee with full details about these matters. The Trustees has been seeking clarity as to exactly how the incident occurred, to understand the lessons learned from this incident, and identify security improvements which can be made to better protect personal data.

    It is important to note that we have had assurances from Capita, that the Cyber issue does not relate to Capita’s Hartlink or Hartlink online portal (the core administration system and attaching on-line tool). We have been informed this administration platform is encrypted.

    The Trustee's focus with the support of AXA UK Business Security Team is to now ensure that appropriate security is in place, via an evidence-based IT security assessment.

  • Are AXA and the Trustees carrying out their own checks?

    The Trustee has been fully supported by AXA UK’s Business Continuity and Data Protection/Privacy Teams to ensure we are closely monitoring the position and also conducting checks to help determine if any AXA data has entered the dark web.

  • Are Capita's systems now secure?

    Capita have publicly stated that they have restored impacted services. Capita have confirmed to the Trustee that they have received independent assurance from third party IT experts that Capita’s systems are secure and robust again.

  • Is the cyber incident over?

    Capita have confirmed to the Trustee that they have received independent assurance from third party IT experts that Capita’s systems are secure and robust again.

    We will provide further updates as needed if there are any additional relevant developments to report in relation to the Scheme.

  • What due diligence did the Trustee and AXA UK take on an ongoing basis?

    In 2022, an external consultancy firm, commissioned by the Trustee, performed a review of Capita’s systems, specifically in relation to cyber security. In addition, the AXA IT security team undertake periodic reviews of Capita’s systems.

    AXA UK Business Security Team is currently undertaking a more detailed evidence-based view of Capita IT systems to help reassure the Trustees that Capita’s systems are suitable secure.

  • Why is Capita offering the Experian service for only 12 months?

    The original intention was that the Experian membership would expire after 12 months. Capita has been advised by its third-party experts that 12 months of monitoring is in line with market standards.

    However, following the recent external check of the data, and member feedback, the Trustees have agreed to:

    • meet the cost to provide new Experian code to those affected members who did not originally sign up to the service.
    • Extend the Experian service for a further year for those affected members who originally signed up.

    The Trustee's letters to affected members set out further relevant details of how to access this extended Experian service.

  • The Trustee is suggesting that members use Experian. How do we know we can rely on their security?

    Experian is an established business, offering a service which you may find useful, as outlined in our letter. Whilst we strongly encourage you to consider taking advantage of the free 12-month service, you do not have to do so. Experian’s approach to data privacy is set out on their website www.experian.co.uk/privacy/privacy-and-your-data.

  • What can Experian provide if I do not want to use the internet?

    It is possible to request a ‘Statutory Credit Report’ from Experian.

    • This is a one-off report of your credit file.
    • You can apply for it via post.
    • This is offered Free of Charge.
    • It is a one-off report on a particular date, so it does not provide ongoing monitoring against Fraud

    To obtain a one-off copy of Experian will require the following details:

    • Member’s full name
    • Date of birth
    • Address history for the last 6 years

    You can apply for your Statutory Credit Report by post by filling in the application form (Statutory Credit Report application form (2).pdf) and sending it to the address below:

    Customer Support Centre, Experian Ltd, PO Box 8000, Nottingham, NG80 7WF

    It usually takes up to 7 working days for your report to arrive. It may take longer if they require some more information to verify your identity.

  • How can I use Experian if I do not have the internet or an email address?

    The Experian monitoring service does require internet access and an email address, but we appreciate that not everyone will have these. Accordingly, Experian will allow you to let someone else set up and use the Experian service your behalf. For example, you could ask a trusted family member, friend or third party to do this; and many public libraries offer free internet access. If you ask someone else to use the Experian service for you, and they want to contact Experian on your behalf, Experian will ask them to provide evidence that:

    1. you have provided your consent for them to contact us on their behalf (e.g. by asking to speak to you); or
    2. they have Power of Attorney, Deputyship or similar legal authority where you are unable to provide your consent for them to contact us on their behalf.

    If you have further questions on this, or any particular accessibility requirements relating to Experian, there is a specialist number to call. The people there can provide more detail about the service and how it works. That phone number is 020 8090 3696. They are open Monday to Friday, 8am to 6pm.

  • Can Experian offer CIFAS as an additional check?

    For UK based pensioners. If you are at higher risk of fraud, Experian can add protective CIFAS (Credit Industry Fraud Avoidance System) registration to your Credit Report which can help prevent credit being taken in your name.

    CIFAS can be applied free of charge through your Identity Plus membership. Please note CIFAS may not be available overseas.

    Experian have advised that this service isn’t applied by default because it does add additional security checks when applying for credit, meaning some people prefer not to use it. If you have or will shortly have legitimate credit applications going through, being on the CIFAS register may impact the lending approval criteria, so it’s important you think about whether you are making any credit applications before you set up CIFAS.

    To activate your CIFAS registration, please contact the Experian Product support team on 020 8090 3696. They are open from Monday to Friday between 8am and 6pm.

    If you want to find out any further information around CIFAS you will find this information here www.cifas.org.uk/pr. If you do wish to take this complimentary service please contact Experian and not CIFAS direct.

  • Will Capita/Trustee indemnify me for any loss incurred as result of this incident?

    We recommend that members sign up to Experian’s monitoring service, as this will help to reduce the risk of any loss. However, if you believe that you have suffered a loss as a consequence of this incident, you can use the existing procedures to raise a complaint, detailing any loss incurred. We would give appropriate consideration to any such complaint and would expect Capita to do the same.

  • Can the Trustees give me any guidance on keeping my data safe?

    We would remind our members to be extra vigilant for unusual activity on their accounts, including suspected phishing emails, and other potential scams and/or fraudulent activity.

    Have a look at the Government National Cyber Security Centre's guidance on data breaches.

    The FCA also has some useful information on how to spot the warning signs of financial scams at www.fca.org.uk/consumers/protect-yourself-scams

    We would encourage members to only ever give out personal information if they are absolutely sure they know who they are communicating with.

    • If you receive a suspicious email, you should forward it to report@phishing.gov.uk
    • For text messages and telephone calls, forward the information to 7726 (free of charge).
    • For items via post, contact the business concerned.
    • If there are any changes to your National Insurance information, HM Revenue & Customs would contact you – but you can also phone them on 0300 200 3500.

    Remember:

    • If you receive an unsolicited call or other contact from someone, only give out your personal information if you are happy that the person contacting you is who they say they are.
    • Be careful with unexpected emails or texts, especially if they ask you to click on a link or enter your login details or passwords.
    • Check your bank statements for any signs of unusual activity in recent weeks and consider checking for any new credit files or credit searches in your name which you don't recognise.
    • If in doubt – stop and think. Hang up or end the conversation if you need to. Contact your bank or financial services provider directly if you aren't sure. If you have any suspicions at all, please don't give out any information or bank details. Just hang up or delete the worrying text or email.

    Here are some other suggestions that may help you protect yourself and your information against scammers:

    • Protect your email with a strong password (tip: use 3 random words to create a single password that’s difficult to crack).
    • Do not share your password with anyone.
    • Install the latest security updates to your browser software and personal computing devices.
    • If in doubt, do not open emails from senders you do not recognise.
    • Check links look correct before you click on them.
    • Be suspicious of anyone who asks for your bank account or credit card details.
    • If the email contains spelling mistakes, this can be a sign that this is a phishing scam. Do not open the email or attachments.

    If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040.

  • What should I do if I think I may have been scammed?

    If you think that you may have been the victim of a scam, or that someone has attempted to carry out a scam, there are a number of things you can do:

    • Get in touch
      If the scam relates to your Scheme benefits, please contact Capita on 0370 1234 701 or at AXA-pensions@capita.com

    • Report it
      You can make a report to Action Fraud (the National Fraud & Cyber Crime Reporting Centre) on 0300 123 2040 or at actionfraud.police.uk
  • What, if anything, should we tell our bank, building society etc?

    You may wish to consider whether you tell the bank that your personal data is potentially at risk as a result of the Capita data breach and that they should be on alert as to any unusual activity on your account. The Trustee will provide further guidance in letters issued personally to affected members.

  • Have the Trustees informed the Information Commissioner’s Office (ICO)?

    Yes, we have reported this to the ICO and will work with them to address any queries they may have.

  • Have the Trustees informed The Pensions Regulator?

    Yes. We have been keeping The Pensions Regulator up to date about our response to this incident.

  • Have the Trustees informed the Financial Conduct Authority & PRA?

    Yes. Whilst this incident relates to Scheme data and not AXA customer data, AXA UK has been keeping its regulators updated.

  • Should the Capita Contract be reviewed?

    As with all of the Trustee's service providers, Capita's performance is monitored and reviewed. The Trustee will take onboard feedback received in relation to the Capita contract.

  • Capita mentioned (in an online article) that the hack may cost them £20m. What does this mean?

    In an announcement to the stock market on 4 August 2023, Capita stated that it expects to incur exceptional costs of approximately £20m to £25m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment. The Trustee does not have any further information as to how this figure was calculated by Capita.

Close
Close