June 4, 2026 — UK — Outsourcing giant Capita has come under scrutiny after launching the Civil Service Pension Scheme (CSPS) website, which manages pensions for 1.7 million members, without enabling a fundamental security feature known as DNSSEC.
Security experts warned Capita in December that the domain lacked “basic controls,” leaving it vulnerable to DNS hijacking and redirection attacks, where users could be tricked into visiting malicious sites despite typing the correct address. Only after the warning did Capita enable DNSSEC, a move acknowledged by its Chief Information Security Officer, Luke Beeson, as a response to “responsible disclosure.”
Cybersecurity specialists described the omission as a serious failure for a financial site. Cindy Lawless, a DNS security expert, said: “This is pretty basic bare minimum stuff for managing a website. Up until the time DNSSEC was enabled anyone could redirect that traffic and pretend to be the pension site.”
Capita took over CSPS administration in December 2025 under a £239 million contract, but the rollout has been plagued by issues. In March, a minor data breach affected 138 members, allowing them to view benefit statements belonging to others. Separately, Capita was fined £14 million by the ICO in 2025 for failing to secure personal data during a ransomware attack that impacted millions.
Emails show Capita initially considered paying consultant Andrew Jenkinson, who identified the vulnerabilities, but later declined his services. Jenkinson subsequently informed regulators, including the Cabinet Office and the Information Commissioner’s Office, of what he described as “systemic cyber security failures impacting 1.7 million civil servants.”
Capita maintains that it takes cybersecurity “extremely seriously,” citing independent assessments under the NIST cyber maturity framework. However, critics argue the company acted more to protect its reputation than to address technical risks.
With 199 public sector contracts worth £7.9 billion, Capita’s handling of the CSPS site raises broader concerns about cybersecurity standards in critical government services.
