UK-based Capita Updates on Cyber Attack Incidents

British outsourcing company Capita, which reportedly experienced two cyber-attacks in March and May this year, has noticed some issues due to the data breaches. The company which runs services for local councils, the NHS, the military, and several others experienced the first hacking incident on the 31st of March which caused a significant IT outage.

The company initially described the hack as a cyber incident primarily impacting access to internal applications and reported that no data appeared to have been stolen. Shortly after, a ransomware group subsequently claimed credit for the attack, and Capita belatedly confirmed that sensitive data had been stolen.

The company resorted to corporate doublespeak in a bid to minimize the severity of the hack, trotting out a made-up measure of affected “server estate” to measure the severity of a hacking incident

The attack spurred the Pensions Regulator (TPR) to write to more than 300 pension funds to ask them to check whether data had been stolen by hackers.

Again, a second data breach occurred in May, after it was reported that the UK-Based firm had left benefits data files in publicly accessible storage. The incident involved an unsecured Amazon Web Services bucket containing more than half a terabyte of data.

In a statement, the ICO at Capita said,

“We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organizations directly affected by these incidents and we are currently making inquiries.

“We are encouraging organizations that use Capita’s services to check their Own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”

British security researcher Kevin Beaumont said he found and reported the AWS data exposure to Capita on April 24. “The bucket had been exposed to the internet and unprotected by a password since 2016”, he said, putting at risk 655 gigabytes of data spread across 3,000 files.

Capita then disclosed that the exposed AWS bucket included release notes and user guides, which are routinely published alongside software releases in line with standard industry practice. The firm however did not state that personal data was among the types of information exposed. It did say the bucket was now secure.

Meanwhile, the British local governments disagreed. The Adur & Worthing Councils said in a statement that they don’t believe Capita’s assurances that the AWS breach did not involve personal data for its residents.

The council wrote,

“Our internal investigation has involved reviewing each of the files that Capita has said was involved. Unfortunately, this has revealed that those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents,” although they added that at this stage, we consider that the risk to our residents appears minimal.”

Capita expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs, and investment to reinforce Capita’s cyber security environment.

The company holds more than $8 billion in U.K. government contracts. Customers include the National Health Service, Britain’s military, the Royal Bank of Scotland, and telecommunications giants O2 and Vodafone, who collectively handle data pertaining to millions of individuals.

Lately, it has continued to work closely and at speed with specialist advisers and forensic experts to investigate and resolve the cyber incident. It has also taken further steps to ensure the integrity, safety, and security of its IT infrastructure to underpin its ongoing client service commitments.