More UK councils caught by Capita's open AWS bucket blunder
As for March megabreach? M&S and Guinness maker Diageo warn pension members about data risks
The bad news train keeps rolling for Capita, with more local British councils surfacing to say their data was put on the line by an unsecured AWS bucket, and, separately, pension clients warning of possible data theft in March's mega breach.
Colchester City Council was the first to step forward last week to claim that tech provider Capita had messed up in its auditing services contract for multiple authorities. Capita, it said, had left local residents' benefits data exposed to the public internet and said the council was trying to detect the "extent of the data spill."
The data for Colchester pertained to financial years 2019/20 and 2020/221, and the city council said it was "considering what further action may be appropriate regarding Capita."
Others have subsequently confirmed their data was left out in the open, including Coventry City Council, Adur and Worthing, Rochford District Council, Derby City Council, and South Staffordshire.
Alison Parkin, director of financial services at Derby CC, said Capita supported its council tax and benefits service, and data left exposed was collected in early 2021. "We're very disappointed to hear about the incident," she said.
"We know this incident will cause concern, and we would like to apologize to our customers, We will be contacting affected customers individually," Parkin continued, adding: "As part of our investigation, we will also be taking the opportunity to review the arrangements with Capita."
A spokesperson for Coventry CC told us it had been "belatedly informed that there has been a potential historic data breach by our financial services contractor Capita.
"We are extremely concerned and disappointed by this news, not just because we take such matters very seriously, but also the length of time it took to tell us," the statement added.
"The council is committed to ensuring Capita works with us to fully understand if there has been any data breach and to implement measures to prevent a similar incident from occurring in the future. We are waiting for further clarification from Capita."
Rochford District is also trying to determine how the information was left unsecured online. Tim Willis, interim director of resources, said in a statement:
"We take very seriously our commitment to safeguarding the privacy and security of our residents' personal information. We know this will cause concern to residents and we want to apologize to those affected on behalf of Capita. We will be working with Capita to review the company's processes and ensure the avoidance of any further breaches."
South Staffordshire told us it was aware of a "potential issue" with a third party supplier connected to data storage, and has informed the Information Commissioner's Office.
"The full extent of the issue is not yet fully known, however we have been assured that a full investigation is underway – the outcome of which will determine our next steps."
A spokesperson at Adur and Worthing Councils, said: "Capita has told us there has been no loss of personal information as a result of the breach. Nevertheless, we are seeking further reassurance from Capita that our residents haven't been affected.
"We take data protection, especially that of our residents, extremely seriously, and have launched our own investigation into this incident."
A spokesperson at Capita said: "We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us."
Capita is also dealing with a security incident from March, one in which its systems were broken into by criminals that stole data that Capita previously said was contained to a 0.1 percent of its server estate. Included in the servers accessed was pension data, and Capita has since written to clients warning that is a chance their data was exfiltrated.
The UK's largest private pension fund, USS, has already warned members of the potential risks, and now retailer M&S has written to clients, saying its scheme was "one of many Capita clients impacted" by the March break-in.
"Following a detailed investigation, Capita has also confirmed that unfortunately the incident may have affected the security of personal data for a large proportion of our Scheme's members. This includes the majority of the Scheme's pensioner members and a very small group of deferred members.
"Capita cannot be certain that this data has been accessed, but we believe it's appropriate to act as if this is the case and warn affected members about the potential risks. There is the possibility that if personal data is accessed it could be used for fraud, identity theft or to send malicious emails."
- Capita: Cyber-attack broke some of our IT systems
- Capita IT breach gets worse as Black Basta claims it's now selling off stolen data
- Capita has 'evidence' customer data was stolen in digital burglary
- Capita admits some pension data 'likely' to have been accessed in March breach
- Capita looking at a bill of £20M over breach clean-up costs
- Britain's largest private pension scheme reveals scale of Capita break-in
- Another security calamity for Capita: An unsecured AWS bucket
British alcoholic beverage maker Diageo – which owns the brands Guinness, Gordon's Gin and Johnnie Walker, among others – confirmed to the FT that some of its 32,000 pension members were impacted by the breach and it was still trying to determine the extent. It added that members' benefits were safe.
On the pensions' issue, Capita told us:
"Capita continues to work closely with specialist advisers and forensic experts to investigate the incident and we have taken extensive steps to recover and secure the data. In line with our previous announcement, we are now informing those we have identified to be affected. We have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so." ®