Elementary Data Breach Questions Remain, My Dear Capita
Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
Beyond $25M in Estimated Cleanup Costs, The Game Remains Afoot for Victim Details Mathew J. Schwartz (euroinfosec) • May 11, 2023
In the annals of attempting to downplay the impact of a data breach, here’s a new one from British outsourcing giant Capita, which has just confirmed hackers who hit it in March stole data pertaining to customers, suppliers and employees.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Instead of detailing how much or what types of data got stolen, the London company wields a nonsense measure, stating Wednesday that hackers accessed “less than 0.1% of its server estate.”
Whatever that means, at least it’s down from the “4% of Capita’s server estate” the IT services firm suspected might have been impacted, per its April 20 breach update.
The hack of Capita first came to light when services for a number of its customers were disrupted on March 31. The company has yet to state publicly if ransomware was involved.
The Black Basta ransomware group listed Capita on its data leak site in early April and appeared to offer the stolen data for sale to bitcoin-wielding buyers. It quickly took down the listing for unknown reasons. Samples of information being listed included bank account details, personal information for teachers applying for jobs, as well as names, email addresses and other contact information, The Sunday Times reported.
Capita has not stated if it did or did not pay a ransom. In its Wednesday update, the company said it “has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident.”
Clearly, crucial details for understanding the impact of this attack remain missing. “They wordsmith it to be data exfil from … their server estate, rather than data volume or what was taken,” said British cybersecurity expert Kevin Beaumont in a Mastodon post. “They also use the cyberattack update to boast revenue wins.”
Should the public expect better from Capita, which reportedly has $8 billion in public sector contracts, including major U.K. healthcare and military contracts?
For comparison’s sake, study a Wednesday breach alert from industrial cybersecurity company Dragos, in which the company states that a ransomware group “gained access by compromising the personal email address of a new sales employee prior to their start date,” leading to the attacker stealing sales resources from “SharePoint and the Dragos contract management system,” including a report tied to an individual customer. “We’ve reached out to the customer,” Dragos states in its report, which includes copious details, such as noting that the attacker accessed 25 intelligence reports normally restricted to customers.
Cleanup Costs Could Reach $25 Million
Publicly traded Capita at least doesn’t mess around when it comes to money. On Wednesday, it estimated that the post-breach “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cybersecurity environment” will cost up to $25 million.
In the meantime, impacted individuals who directly or indirectly relied on Capita’s services face risks from identity theft and more.
The London Times recently profiled one victim, a 39-year-old teaching assistant named Sophie West, who’d applied for a job at a school that uses Capita to handle parts of its recruitment process. Black Basta appears to have leaked West’s personal details – possibly in the sample of data it posted as proof of the attack – including her driving license and passport. She was reportedly being advised to replace her passport. “It was absolutely shocking, you feel just utterly helpless and don’t know how to act,” she told the Times.
Beaumont suggests this reflects an ethical failure on Capita’s part, and that its leadership should “acknowledge the fact they lost security vetting data” and that it “impacts real people, at a scale way bigger than one person.”
Capita isn’t the only company on the hook over its data breach. Last week, Britain’s financial regulator contacted companies that contract with Capita to provide services, warning that they must check if the data breach will require them to also issue data breach notifications to both their customers as well as the Information Commissioner’s Office.
The U.K.’s Financial Conduct Authority said it had “written to FCA-regulated firms that are clients of Capita to ensure they are fully engaged in understanding the extent of any data compromise.” The FCA added that it’s been working closely with Capita “to understand the extent of any data compromise and impact on the firms they provide outsource services to, including their underlying customers.”
In the case of West and others whose personal data was exposed, under the U.K. General Data Protection Regulation, the duty to notify likely rests with the organizations that hired Capita to handle parts of their recruitment process, and which will thus be guided by the ICO.
Britain’s pensions regulator is probing the leak to see if the data that’s been exposed poses a risk to customers of the hundreds of pension funds administrated by Capita, the Sunday Times reported.
Whether or not Capita has yet delivered detailed information to its customers about what was stolen, so they can notify their impacted customers – or any other individuals whose data they were handling – as yet remains a mystery.