Another security calamity for Capita: An unsecured AWS bucket

Capita is facing criticism about its security hygiene on a new front after an Amazon cloud bucket containing benefits data on residents in a south east England city council was left exposed to the public web.

Colchester City Council said on Monday it had launched a probe following the discovery of the open storage bucket, and was working with Capita to fully understand the “extent of the data spill and take all necessary steps to minimize any impact on residents.”

In the latest update, the council said today that Capita had been “entrusted with the crucial task” of running the end-of-year auditing services for the council tax and benefits. This, it added, included extracting data from the council’s own systems.

The information exposed detailed the benefits local resident received in fiscal years 2019/20 and 2020/21. The council said in a statement:

“The data, along with similar information from other local authorities, was found on an unsecured Amazon Data Bucket controlled by Capita. Capita has confirmed that it has since been made secure and we can confirm that the data does not include any bank details.”

It is unacceptable that Capita has failed to meet these required standards

Colchester city council has asked for more information from Capita to confirm the “extent of the breach as quickly as possible,” and says it was told there is no evidence, as yet, of any malicious use of the data.

Richard Block, Colchester City Council’s chief operating officer, said in a statement he was “extremely disappointed that such a serious data breach by one of our contractors has occurred.”

“We require all parties involved in the handling of sensitive information to adhere to the highest standards of data protection and it is unacceptable that Capita has failed to meet these required standards. As a result, we are considering what further action may be appropriate regarding Capita.

“Upon becoming aware of this incident, the records in question were immediately secured, and we continue to investigate the incident to ensure that all necessary measures are, and remain, in place. We have reported the incident to the appropriate regulatory authorities and will cooperate fully with any investigation or any further actions required."

He said Capita had provided assurances that no personal bank details of the citizens whose data was exposed have been compromised. “We expect a full explanation and remedy from the company and for them to apologize directly to those affected.”

Capita is the largest British business process outsourcing and professional services company, it has some £6.5 billion ($8.1 billion) of contracts under its belt, including with many of Britain’s central government departments.

A spokesperson at Capita said in a statement: “We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.”

• Capita looking at a bill of £20M over breach clean-up costs
• Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
• Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers
• McGraw Hill's S3 buckets exposed 100,000 students' grades and personal info
• Security company finds unsecured bucket of US military images on AWS

This latest development comes on the heels of Capita shutting down its part of its internal systems in late March after detecting a digital break-in of its infrastructure, which the outsourcing giant admitted to in early April. Russian ransomware crew Black Basta has claimed responsibility.

Capita subsequently said 4 percent of its server estate had been accessed and it had some evidence of data exfiltration. It later updated investors to say around 0.1 percent of its servers has been accessed.

Last week, the UK’s largest private pension scheme said Capita had written to it to warn that details of 470,000 active, deferred and retired members was held on the servers that were accessed by the intruder or intruders. This includes names, date of birth and National Insurance numbers. The data, the Universities Superannuation Scheme added, might not have been stolen but it was laboring on the assumption that “it was.”

Earlier this month, a security researcher said they found an open AWS S3 bucket of documents belonging to Capita in April, which was secured after the organization was alerted. Capita said the cloud storage contained nothing sensitive. ®