Outsourcing giant Capita has been referred to the UK Information Commissioner's Office by the Cabinet Office after a data breach in the civil service pension scheme exposed personal details of members to other pensioners. The incident, which occurred in early April 2026, affects a scheme that pays 740,000 retired civil servants and totals 1.7 million members. It comes less than a year after Capita was fined £14 million for a 2023 cyberattack that compromised 6.6 million records.

What Happened

In early April 2026, Capita introduced new functions to the software platform underpinning the Civil Service Pension Scheme. The change resulted in pensioners being granted access to other members' personal details when logging in to view their own accounts, an access control failure rather than an external intrusion. The Cabinet Office formally referred the incident to the Information Commissioner, who confirmed: "The Cabinet Office reported an incident to us and we are assessing the information provided."

The breach is unfolding alongside broader operational failures. Processing issues have blocked pensioners from accessing their retirement savings, with government departments issuing interest-free loans now totalling more than £7 million to recent retirees facing financial hardship. Cabinet Office minister Nick Thomas-Symonds has demanded service levels be restored by the end of June and warned the government will "use every commercial lever at our disposal" to enforce targets.

What Was Taken

The exposure relates to the personal data of members enrolled in the Civil Service Pension Scheme. Key figures:

• 1.7 million total scheme members are administered by Capita under the contract
• 740,000 retirees currently receiving payments are within the affected population
• Pensioners were able to view other members' account details, which in pension administration platforms typically include name, date of birth, National Insurance number, address, bank account information, and pension entitlement values

The full scope of how many records were exposed and to whom is still being assessed by the ICO. The breach is described by sources as "not as drastic" as the 2023 cyberattack but indicative that "Capita data security has not improved."

Why It Matters

Capita administers government and corporate services touching tens of millions of UK citizens, and this is its second major data incident in three years. The 2023 cyberattack compromised 6.6 million records and resulted in a £14 million ICO fine, after which CEO Adolfo Hernandez said the company had "hugely strengthened" its cybersecurity posture and installed new digital and technology leadership.

A repeat exposure, even one rooted in misconfiguration rather than intrusion, signals that promised remediation has not closed the gap. Capita is now fighting to retain a £239 million seven-year contract, and the incident sets a precedent for how regulators treat repeat offenders in critical public-sector outsourcing. For defenders, it is also a reminder that civil service retirees are a high-value target population for fraud, identity theft, and pension scams.

The Attack Technique

This was not an external cyberattack. The exposure was caused by an authorisation flaw introduced when Capita rolled out new functions on its pension administration platform. The defect allowed authenticated users to view records belonging to other members, consistent with a broken access control or insecure direct object reference vulnerability where session or identity binding fails to scope queries to the logged-in user.

Such issues typically arise when changes to data models, account linking, or permission caches are deployed without comprehensive regression testing of multi-tenant authorisation paths. The fact that the defect surfaced immediately after a release suggests inadequate pre-production validation of access control logic.

What Organizations Should Do

1. Treat every release that touches identity, account linking, or data scoping as a high-risk change. Run automated authorisation tests that simulate user A attempting to retrieve user B's records across all endpoints before promotion to production.
2. Implement object-level authorisation checks at the data access layer, not just at the API or UI layer, so that a missed UI guard cannot expose records.
3. Monitor for anomalous read patterns post-release, such as accounts accessing records they have never touched before, and gate new releases behind canary cohorts with active observability.
4. For outsourced critical services, contractually require breach notification within hours, evidence of authorisation regression testing, and the right to audit deployment processes after incidents.
5. Maintain an incident communications plan for affected end users, particularly elderly or vulnerable populations, including identity protection support and clear guidance on recognising follow-on phishing.
6. For pension scheme members and retirees: assume exposed details may be used for impersonation, freeze credit where possible, and verify any unsolicited contact claiming to be from the scheme administrator through official channels.

Sources: Capita gave civil servants access to other people's pensions data