Capita launched civil service pension scheme site without ‘basic’ web security

CSPS warning

That same month, a warning to Capita from attack-surface management expert Andrew Jenkinson informed officials at the company, including CEO Adolfo Hernandez, that there were serious vulnerabilities in the CSPS domain.  

In his initial contact on 6 December, soon after Capita took over CSPS administration, Jenkinson - an expert in areas including Domain Name System (DNS) and Public Key Infrastructure (PKI) security - wrote: “News of the CSPS issues prompted us to undertake some research as cited experts and the threat intelligence is simply too damning not to try and reach out to you all collectively.”

Jenkinson offers chargeable consultancy work to companies when he unearths security holes. “We identify vulnerabilities and share that information. Should a company want to take our consulting expertise that is discussed and agreed,” he told Computer Weekly.

The UK government encourages security experts to report any vulnerabilities they discover, with advice on how to respond to such disclosures published by the National Cyber Security Centre. Security researchers will often subsequently report those vulnerabilities publicly once they have been resolved by the affected company.

In a follow-up email, Jenkinson told Capita CISO Beeson: “The report, like our expertise, are not a free service.” Beeson replied: “Understood, it would be very helpful to see the report when it’s ready.”

Acted on warnings

Beeson acknowledged in an email to Jenkinson that Capita enabled DNSSEC on the CSPS domain, along with other changes, after his warning.

In an email to Beeson on 5 January this year, Jenkinson wrote: “I am very pleased that following the threat intelligence we shared in December, DNSSEC has been implemented at the top-level domain for civilservicepensionscheme.org.uk, which addressed a key visibility and integrity gap.”

Beeson replied on 14 January: “I’m glad you spotted that we’ve enabled DNSSEC on the CSPS domain.”

In another email to Jenkinson on 27 March, Beeson wrote: “Thank you again for all the responsible disclosures you’ve shared. I can assure you that we’re taking them seriously internally and acting on them where we can as we did with the CSPS DNSSEC implementation.”

Bare minimum

Cindy Lawless, a US-based expert in cyber security quality, trust, and DNS security infrastructure, said failure to enable DNSSEC suggests a lack of skills.

“This is pretty basic bare minimum stuff for managing a website,” she told Computer Weekly. “It is a serious failure for a site that is financial in nature. Up until the time DNSSEC was enabled anyone could redirect that traffic and pretend to be the pension site. And the end-user wouldn’t really know without digging,” she added. “It’s a huge blind spot.”

Lawless said there is no way to have the chain of trust authentication without it: “This is the only way to prove the DNS records are genuine.”

One source told Computer Weekly that a high-threat domain like CSPS “needs belt and braces,” which DNSSEC provides.

“In this context not having it is a big red flag, but not catastrophic depending on what else you have next. If [architecture] professionals went to a government or financial services website and it wasn’t there, they would switch it on, they would want belt and braces.”

Steve Forbes, a security expert at UK internet domain registrar Nominet, said: "DNSSEC is an important tool for strengthening domain authenticity and protecting against certain types of DNS tampering, but it also introduces additional operational complexity, so needs to be carefully managed to avoid unintended availability risks.”

Forbes said it should be seen as a single part of a broader security approach, rather than a universal one-size-fits-all solution.

“It may not be suitable in all situations, and there are other security measures that could be used to reduce the risk of attacks like cache poisoning and tampering in transit - which are common attacks that DNSSEC is used to prevent," he added.

Responsible disclosure

Beeson offered to pay Jenkinson’s company for work already completed. “What value would you place on the work done to date? I ask as we have benefited from your responsible disclosure and therefore, I think it’s right that we pay for that. If you could share what your fee would be we can discuss and agree terms via procurement," he wrote on 30 March. Jenkinson’s colleague wrote back setting out a price for work done and the fee arrangement. 

On 7 April, after receiving the fee outline Beeson wrote to Jenkinson: “We appreciate you reaching out to us to share your concerns regarding Capita’s external security posture. I am also grateful to you for finding the time to offer your services and subsequently share details of your fees were Capita minded to engage you. 

“I have previously explained to you that I am content with our security posture, which is always under constant review, and improvement, where required. On this basis, I do not think it necessary that Capita engage you and your services.”

A few days later, Jenkinson informed Capita of his intention to release information about the original vulnerability to the regulators and press.

Following this Capita, through its legal representative Eversheds Sutherland, wrote to Jenkinson. It said he had “not been engaged by Capita to carry out any work on its behalf, nor [had] Capita at any time agreed to pay [him] for any actions [he] may have chosen to take of [his] own volition.”

Computer Weekly asked Capita why DNSSEC was not enabled on the CSPS domain when it went live and why was it only enabled after being warned about vulnerabilities by Jenkinson? The company did not answer.

Computer Weekly also asked why, after offering to pay Jenkinson for what Beeson described as “responsible disclosures” and future work, did Capita decide not to work with him? The company did not answer.

Capita said: “Capita takes cyber security extremely seriously and we are confident in our security posture. We have a comprehensive, continuously monitored security framework in place, and work transparently with government clients and the National Cyber Security Centre. Our latest annual cyber security maturity assessment - conducted by reputable external independent assessors - assessed us favourably across all dimensions of the National Institute of Standards and Technology (NIST) cyber maturity framework. 

“Our security measures meet all contractual requirements, and we continually review and strengthen them to keep pace with the rapidly changing security environment.

“Capita received an unsolicited approach from Andrew Jenkinson; we decided not to work with him for multiple reasons.”

Data breaches

In late March, the CSPS scheme experienced a minor data breach affecting 138 members. According to the outsourcer, the issue led to scheme members being able to view personal annual benefit statements that were not their own. Computer Weekly has seen no evidence to suggest this was related to flaws identified by Jenkinson. 

Separately to CSPS, last year the Information Commissioner’s Office (ICO) fined Capita £8m and Capita Pension Solutions £6m for failing to ensure the security of processing of personal data, which left it at significant risk. The ICO added that the company did not have the “appropriate technical and organisational measures” to respond effectively.

The fine came after a Black Basta ransomware cyber attack in March 2023 that affected several Capita clients, including the London boroughs of Barnet, and Barking and Dagenham. The ICO said six million people had been affected by the data breach, with the information stolen including pension and staff records and details of Capita’s customers.

After settling the fine with the ICO last year, Capita CEO Hernandez, said: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cyber security posture, built in advanced protections and embedded a culture of continuous vigilance."

Regulators in the loop

Jenkinson also informed the Cabinet Office, which owns the CSPS, and the ICO, giving a detailed outline of the security issues he identified.

On 20 April, Jenkinson emailed them, along with other government organisations, under the heading: “Systemic cyber security failures impacting 1.7 million civil servants – immediate regulatory intervention required.”

He wrote: “I am writing to formally escalate a matter of urgent national significance concerning systemic cyber security failures within the CSPS, currently administered by Capita plc since 1 December 2025.”

In response to a Computer Weekly question about this, the Cabinet Office said: “We remain in close contact with Capita on the wider security of the CSPS.”

The ICO was asked what, if any, action it would take in regard to Jenkinson’s email. It sent Computer Weekly a statement about the cyber attack that hit the CSPS in March. Repeated attempts to get a response about Jenkinson’s disclosure resulted in the ICO stating it had nothing to add to the statement about the earlier breach, to which the question was not related.

According to figures from Tussell, Capita currently has 199 public sector contracts worth a combined £7.9bn.