Wednesday, 7 June 2023

What can we learn from the Capita data breaches?

Capita’s cyber security practices should be second to none. Yet recent events have illustrated how supply chain security cannot be taken for granted. Find out more...

As one of the UK’s leading providers of business process outsourcing services, Capita’s cyber security practices should be second to none. Yet the events of this year have strikingly illustrated how supply chain security cannot be taken for granted.


So, what can organisations learn from the data breaches at Capita?

On March 31, the business outsourcing company Capita announced that some of its staff were experiencing problems and outages with essential systems. It raised immediate concern because of the company’s client list, which includes local and central government institutions as well as major UK companies.


A muted response to the incident

However, the response was muted – largely because Capita chose to downplay the incident, informing customers that there was no cause for concern. The company’s initial statement said, “The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.”

It wasn’t until April 20 that Capita finally announced that the incident was likely a result of a malicious hacking attack.

Subsequent evidence and analysis suggest that Capita most likely knew this was the case at the time of its original announcement and that the initial breach occurred on March 22. Indeed, as early as April 8, the ransomware group Black Basta was sharing leaked Capita data on its website.


Why did Capita choose to downplay the incident?

Capita’s sluggishness in coming forward with information and its decision to downplay the incident in its early stages seem incomprehensible, given the services it provides and its customer base.

The UK GDPR requires organisations to report data breaches to the Information Commissioner Office (ICO) within 72 hours of them being uncovered. Significant fines and penalties apply if this reporting isn’t made.

The breach and the failure to adequately report it are a significant dint to Capita’s reputation. Furthermore, Capita’s lacklustre response has focused a great deal of attention on the company’s data security and cyber security practices.


Bad practices come to light

In May, the news broke of a further data security problem at Capita. The vulnerability was reported to Capita by a security researcher who had been looking into the original cyber-attack. In a problem that is thought to date back to 2016, a misconfigured AWS S3 storage bucket had no password protection, leaving the files stored there unsecured. Kevin Beaumont alerted Capita to the issue in April but the news was only released in May.

The delay in reporting this second issue further compounds the damage to Capita’s reputation. How can its customers trust it to tell them when their data and their customers’ data has been compromised?


The downstream effects of the Capita breach

Since April, more than 90 organisations have reported data breaches to ICO as a result of the Capita breach. These organisations include a number of local councils as well as household names including Marks & Spencer, Diageo and Royal Mail.

The pensions regulator wrote to more than 300 pensions funds to ask them to check whether data had been stolen. It reminded them “As trustees you are responsible for the security of your members’ data. If you use Capita’s services, you should check whether your pension scheme’s data could be affected. Make sure you keep communicating with Capita as the situation evolves.”

However, security experts have warned that it could be years before the full extent of the data breach comes to light. Meanwhile, the Register has reported that Black Basta is selling sensitive exfiltrated data, including bank account information, addresses, and passport photos stolen from the IT outsourcing giant.


NCSC calls for more transparency around attacks

Eleanor Fairford, deputy director of incident management at the UK’s National Cyber Security Centre (NCSC), is increasingly concerned about the number of attacks that are not reported and pass quietly by, pushed aside, with ransoms paid swiftly to make the problem go away.

“The NCSC supports victims of cyber incidents every day, but we are increasingly concerned about the organisations that decide not to come forward,” she said. “Keeping a cyber-attack secret helps nobody except the perpetrators, so we strongly encourage victims to report incidents and seek support to help effectively deal with the fallout. By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well as break the cycle of crime to prevent others from falling victim.”


Learning from the Capita experience

Capita expects to incur “exceptional costs” in the region of £15m to £20m as a result of the March 2023 Black Basta ransomware attack on its systems, according to Computer Weekly.

Getting ahead of the news and reporting the data breach early to ICO would have helped to minimise any costs associated with ICO penalties, which have yet to be announced. 

Although Capita is working with security experts now, to understand the breach and close further vulnerabilities, doing this work upfront would not only have been better, it may well also have been more cost effective.


Actions your organisation can take now

If you’ve been affected by the Capita breach, then the NCSC advice is to stay in contact with the company. Any breaches of personal data should be reported to ICO immediately.

The Capita breach has demonstrated the knock-on effects of data breaches very clearly. It’s a really good idea to understand how and where your organisation’s and your customers’ data is being shared. Begin by following the NCSC’s advice on mapping your supply chain.

ICO has also emphasised the need to follow basic cyber security good practice. Not password protecting an exposed S3 bucket of customer data was a clear failure on Capita’s part. It reveals that even some of the biggest IT outsourcers can fail to follow basic levels of security. The Cyber Essentials framework is a great place to start to ensure that your organisation has basic, essential measures in place.


What next?

If you’d like personalised advice about how your organisation can respond to the Capita breach, or would like advice on cyber security generally, please contact our team.

Call us: 0808 164 4142

Message us: 

Further reading

Find more information about cyber security topics on our blog:

•    AI’s new role in cyber security

•    Is your organisation doing enough on supply chain security?

•    New changes to Cyber Essentials for 2023

•    How to minimise the risk from phishing