Capita has 'evidence' customer data was stolen in digital burglary

Admits criminals accessed 4% of servers from March 22 until it spotted them at month-end

Business process outsourcing and tech services player Capita says there is proof that some customer data was scooped up by cyber baddies that broke into its systems late last month.

The British listed business, which has around £6.5 billion ($8.09 billion) in public sector contracts, updated the London Stock Exchange this morning to confirm the criminals breached its infrastructure on March 22 and remained inside until “interrupted” by the company on March 31.

“As a result of the interruption, the incident was significantly restricted, potentially affecting around 4 percent of Capita’s server estate. There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”

“Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner,” it said, adding: “Capita continues to comply with all relevant regulatory obligations.”

This comes after Russian extortionist crew Black Basta claimed it was behind the digital burglary at Capita and put up for sale sensitive information it reckons it stole, and which reportedly includes personal bank account details of people and business selling products or services to Capita. This is supposedly just small snippets of the data for sale.

Infosec veteran Kevin Beaumont previously said the stolen information being offered for sale also Capita documents marked Confidential, passport scans and more.

Beaumont said earlier this month: “Capita's customers and regulators should be asking Capita to explain this – on the record and in writing.”

"Failing to disclose the loss of personal data can have serious financial and reputation damages — in short, do not cover up ransomware and extortion incidents or you may end up the case history of how not to respond," he added.

Capita opened up on IT systems issues at the end of March, when its Azure Directory or Azure Active Director Service was suddenly unavailable to its own employees, impacting access to Microsoft 365 applications.

Days later Capita confirmed a “cyber incident” had disrupted services internally.

TechMartketViews analyst Marc Hardwick said the “million dollar questions” that are now facing Capita are “what data has been accessed, and to what extent the impact can be mitigated and how quickly this can be done.”

The Information Commissioner’s Office, the UK’s data watchdog, told us: "Capita has reported an incident to us and we are assessing the information provided.

"Other organisations who are affected should also consider their position and report data breaches where necessary. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms.

"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary." ®

More about


Send us news

Other stories you might like