Capita Hack Fallout: Regulator Sees Breach Reports SurgeICO Receives 'Large Number of Reports' From Organizations Affected by Data Exposure
Customers of British outsourcing giant Capita have been lodging "a large number" of data breach reports, the country's privacy regulator said.
The U.K. Information Commissioner's Office said the reports are tied to a March hack attack against the multibillion-pound company as well as an unsecured Amazon Web Services bucket managed by Capita. "We are receiving a large number of reports from organizations directly affected by these incidents and we are currently making enquiries," an ICO spokesperson said in a statement.
An ICO spokesperson told Information Security Media News that the regulator has "received approximately 90 reports concerning Capita incidents," confirming news first reported by the BBC.*
Publicly traded Capita detected the hack attack on March 31. Ransomware group Black Basta claimed credit, listing Capita on its data leak site April 8 together with samples of stolen data. The data was quickly removed, suggesting criminals had bought exclusive access or the victim had paid a ransom (see: Elementary Data Breach Questions Remain, My Dear Capita).
The second incident involved the unsecured Amazon Web Services bucket discovered and reported to Capita in April by security researcher Kevin Beaumont. He found the publicly accessible bucket, for which password protection had been disabled since 2016, contained about 3,000 files totaling 655 gigabytes in size.
The total count of Capita customers affected by the breaches or individuals whose personal details were stolen or exposed across both incidents remains unclear. The company's customers include the British military, National Health Service, Royal Bank of Scotland and telecommunications giants O2 and Vodafone, meaning data pertaining to millions of individuals could be at risk.
Reports so far suggest as many as 350 pension funds have been affected.
Whether or not Capita has identified all files or data exposed in the incidents remains unclear. Some customers are reviewing the contents of files that Capita told them were exposed. Customers' data breach notifications suggest that Capita's own probe remains ongoing.
The country's data protection authority wants Capita customers to proactively identify their risk. "We are encouraging organizations that use Capita's services to check their own position regarding these incidents and determine if the personal data they hold has been affected," the ICO spokesperson said. "If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps."
Under Britain's privacy laws, any organization that learns that personal data it controls has been breached or potentially exposed must inform the ICO within 72 hours.
Hack Attack Victim: USS
One organization affected by the hack attack is Britain's largest pension fund, the Universities Superannuation Scheme. It says information pertaining to current and former members was exposed via its use of Capita's Hartlink technology platform, which it uses to administer pensions.
USS is offering affected individuals 12 months of identity theft monitoring, since the exposed data leaves them at increased risk of fraud. While no member login information appears to have been exposed, the organization says it has strengthened its ID and verification processes, just to be safe.
In a Thursday update, USS said it is continuing to work closely with Capita as its digital forensic investigations continue. "We understand USS data was contained in files generated by them from the main Hartlink system, and held separately on their servers, to facilitate operational processes," it said.
"Capita have confirmed that they have taken extensive steps to recover and secure the data as well as monitoring the dark web to confirm that data compromised as a result of this incident is not circulating more widely," USS said.
What Capita might mean by "recovering" data - as opposed to restoring it - remains unclear. Ransomware incident response experts say that while some victims continue to pay criminals for a promise to delete stolen data, such assurances are worthless (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
Bucket Exposure Affects Councils
At least six government authorities appear to have been affected by the unsecured bucket.
Adur & Worthing Councils, a jointly run local government authority in the south of England, said its data was exposed via the unsecured bucket. Capita informed the councils that no personal data had been exposed. But after "reviewing each of the files that Capita has said was involved," it said "those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents."
Capita didn't respond to a request for comment (see: Capita Issued Erroneous Breach Details, Officials Report).
Thus far, Capita has issued three short "cyber incident updates" on its website about the hack attack. On May 10, it confirmed "some data was exfiltrated" tied to customers, suppliers and employees and predicted the cleanup could cost it $25 million. Given the scant details and lack of any formal apology from the company, some experts have questioned whether Capita has been attempting to downplay the data breach and its impact on customers and individuals.
*Update May 30, 2023 11:15 UTC: This story has been updated to include a count of organizations that have filed breach reports to the ICO as a result of Capita incidents.