Capita launched civil service pension scheme website with out ‘primary’ net safety
Capita was warned in December that the safety of the online area which manages the pensions of 1.7 million members of the Civil Service Pension Scheme (CSPS), lacked “primary controls”.
Solely after the warning, by means of what Capita’s chief info safety officer (CISO) Luke Beeson acknowledged as a “accountable disclosure,” did Capita allow DNSSEC on the CSPS area.
DNS hijacking/DNS redirection is the largest threat if DNSSEC shouldn’t be enabled, which means customers may sort the proper area identify and nonetheless go to a malicious website.
Capita took over CSPS administration on 1 December final yr, after a £239m contract was received in 2023. It has been beset by issues (see field, under).
CSPS warning
That very same month, a warning to Capita from attack-surface administration skilled Andrew Jenkinson knowledgeable officers on the firm, together with CEO Adolfo Hernandez, that there have been severe vulnerabilities within the CSPS area.
In his preliminary contact on 6 December, quickly after Capita took over CSPS administration, Jenkinson – an skilled in areas together with Area Identify System (DNS) and Public Key Infrastructure (PKI) safety – wrote: “Information of the CSPS points prompted us to undertake some analysis as cited consultants and the menace intelligence is just too damning to not attempt to attain out to you all collectively.”
Jenkinson presents chargeable consultancy work to firms when he reveals safety holes. “We establish vulnerabilities and share that info. Ought to an organization need to take our consulting experience that’s mentioned and agreed,” he instructed Laptop Weekly.
The UK authorities encourages safety consultants to report any vulnerabilities they uncover, with recommendation on how to reply to such disclosures revealed by the Nationwide Cyber Safety Centre. Safety researchers will usually subsequently report these vulnerabilities publicly as soon as they’ve been resolved by the affected firm.
In a follow-up electronic mail, Jenkinson instructed Capita CISO Beeson: “The report, like our experience, usually are not a free service.” Beeson replied: “Understood, it could be very useful to see the report when it’s prepared.”
Acted on warnings
Beeson acknowledged in an electronic mail to Jenkinson that Capita enabled DNSSEC on the CSPS area, together with different adjustments, after his warning.
In an electronic mail to Beeson on 5 January this yr, Jenkinson wrote: “I’m very happy that following the menace intelligence we shared in December, DNSSEC has been carried out on the top-level area for civilservicepensionscheme.org.uk, which addressed a key visibility and integrity hole.”
Beeson replied on 14 January: “I’m glad you noticed that we’ve enabled DNSSEC on the CSPS area.”
In one other electronic mail to Jenkinson on 27 March, Beeson wrote: “Thanks once more for all of the accountable disclosures you’ve shared. I can guarantee you that we’re taking them severely internally and performing on them the place we are able to as we did with the CSPS DNSSEC implementation.”
Naked minimal
Cindy Lawless, a US-based skilled in cyber safety high quality, belief, and DNS safety infrastructure, stated failure to allow DNSSEC suggests a scarcity of expertise.
“That is fairly primary naked minimal stuff for managing a web site,” she instructed Laptop Weekly. “It’s a severe failure for a website that’s monetary in nature. Up till the time DNSSEC was enabled anybody may redirect that site visitors and faux to be the pension website. And the end-user wouldn’t actually know with out digging,” she added. “It’s an enormous blind spot.”
Lawless stated there is no such thing as a approach to have the chain of belief authentication with out it: “That is the one approach to show the DNS data are real.”
One supply instructed Laptop Weekly {that a} high-threat area like CSPS “wants belt and braces,” which DNSSEC gives.
“On this context not having it’s a huge pink flag, however not catastrophic relying on what else you will have subsequent. If [architecture] professionals went to a authorities or monetary providers web site and it wasn’t there, they’d change it on, they’d need belt and braces.”
Steve Forbes, a safety skilled at UK web area registrar Nominet, stated: “DNSSEC is a crucial device for strengthening area authenticity and defending in opposition to sure forms of DNS tampering, nevertheless it additionally introduces further operational complexity, so must be fastidiously managed to keep away from unintended availability dangers.”
Forbes stated it must be seen as a single a part of a broader safety strategy, slightly than a common one-size-fits-all answer.
“It is probably not appropriate in all conditions, and there are different safety measures that may very well be used to cut back the chance of assaults like cache poisoning and tampering in transit – that are widespread assaults that DNSSEC is used to stop,” he added.
Accountable disclosure
Beeson supplied to pay Jenkinson’s firm for work already accomplished. “What worth would you place on the work finished thus far? I ask as we have now benefited out of your accountable disclosure and due to this fact, I feel it’s proper that we pay for that. For those who may share what your price could be we are able to talk about and agree phrases by way of procurement,” he wrote on 30 March. Jenkinson’s colleague wrote again setting out a worth for work finished and the price association.
On 7 April, after receiving the price define Beeson wrote to Jenkinson: “We recognize you reaching out to us to share your issues concerning Capita’s exterior safety posture. I’m additionally grateful to you for locating the time to supply your providers and subsequently share particulars of your charges had been Capita minded to have interaction you.
“I’ve beforehand defined to you that I’m content material with our safety posture, which is all the time beneath fixed overview, and enchancment, the place required. On this foundation, I don’t assume it mandatory that Capita interact you and your providers.”
Just a few days later, Jenkinson knowledgeable Capita of his intention to launch details about the unique vulnerability to the regulators and press.
Following this Capita, by means of its authorized consultant Eversheds Sutherland, wrote to Jenkinson. It stated he had “not been engaged by Capita to hold out any work on its behalf, nor [had] Capita at any time agreed to pay [him] for any actions [he] might have chosen to take of [his] personal volition.”
Laptop Weekly requested Capita why DNSSEC was not enabled on the CSPS area when it went stay and why was it solely enabled after being warned about vulnerabilities by Jenkinson? The corporate didn’t reply.
Laptop Weekly additionally requested why, after providing to pay Jenkinson for what Beeson described as “accountable disclosures” and future work, did Capita determine to not work with him? The corporate didn’t reply.
Capita stated: “Capita takes cyber safety extraordinarily severely and we’re assured in our safety posture. We have now a complete, constantly monitored safety framework in place, and work transparently with authorities purchasers and the Nationwide Cyber Safety Centre. Our newest annual cyber safety maturity evaluation – carried out by respected exterior unbiased assessors – assessed us favourably throughout all dimensions of the Nationwide Institute of Requirements and Know-how (NIST) cyber maturity framework.
“Our safety measures meet all contractual necessities, and we frequently overview and strengthen them to maintain tempo with the quickly altering safety surroundings.
“Capita obtained an unsolicited strategy from Andrew Jenkinson; we determined to not work with him for a number of causes.”
Knowledge breaches
In late March, the CSPS scheme skilled a minor knowledge breach affecting 138 members. In accordance with the outsourcer, the difficulty led to scheme members with the ability to view private annual profit statements that weren’t their very own. Laptop Weekly has seen no proof to counsel this was associated to flaws recognized by Jenkinson.
Individually to CSPS, final yr the Info Commissioner’s Workplace (ICO) fined Capita £8m and Capita Pension Options £6m for failing to make sure the safety of processing of non-public knowledge, which left it at vital threat. The ICO added that the corporate didn’t have the “acceptable technical and organisational measures” to reply successfully.
The fantastic got here after a Black Basta ransomware cyber assault in March 2023 that affected a number of Capita purchasers, together with the London boroughs of Barnet, and Barking and Dagenham. The ICO stated six million individuals had been affected by the information breach, with the data stolen together with pension and workers data and particulars of Capita’s clients.
After settling the fantastic with the ICO final yr, Capita CEO Hernandez, stated: “Once I joined as CEO the yr after the assault I accelerated our cyber safety transformation, with new digital and expertise management and vital funding. Because of this, we have now vastly strengthened our cyber safety posture, in-built superior protections and embedded a tradition of steady vigilance.”
Regulators within the loop
Jenkinson additionally knowledgeable the Cupboard Workplace, which owns the CSPS, and the ICO, giving an in depth define of the safety points he recognized.
On 20 April, Jenkinson emailed them, together with different authorities organisations, beneath the heading: “Systemic cyber safety failures impacting 1.7 million civil servants – rapid regulatory intervention required.”
He wrote: “I’m writing to formally escalate a matter of pressing nationwide significance regarding systemic cyber safety failures throughout the CSPS, at present administered by Capita plc since 1 December 2025.”
In response to a Laptop Weekly query about this, the Cupboard Workplace stated: “We stay in shut contact with Capita on the broader safety of the CSPS.”
The ICO was requested what, if any, motion it could soak up regard to Jenkinson’s electronic mail. It despatched Laptop Weekly a press release in regards to the cyber assault that hit the CSPS in March. Repeated makes an attempt to get a response about Jenkinson’s disclosure resulted within the ICO stating it had nothing so as to add to the assertion in regards to the earlier breach, to which the query was not associated.
In accordance with figures from Tussell, Capita at present has 199 public sector contracts price a mixed £7.9bn.
