This article is more than 1 year old

Capita faces first legal Letter of Claim over mega breach

Barings Law claims 250 people that 'suspect' data theft signed up to class action

Capita is facing its first legal claim over the high profile digital burglary in late March that exposed some customer data to intruders and will cost the outsourcing biz around £20 million ($26 million) to clean up.

Barings Law, based in England's northwest, says it dispatched a Letter of Claim to Capita last week to outline its clients' case and their list of worries.

Some 250 individuals that suspect they were caught up in the breach have already signed up to the class action, it says, and Barings reckons it is receiving up to 40 calls a day from concerned parties, including local councils.

"This could be the biggest data breach the country has ever experienced," said Adnan Malik, Barings Law's head of data breach. "We're receiving a staggering number of enquiries, which is why we've officially launched legal action."

Barings Law told us it had launched a marketing campaign on social media to appeal to individuals that believe they've been affected by the breach to make contact.

The personal data exposed to criminals, according to the law firm, includes passports, emails, and home addresses, it added.

Capita took its internal systems offline in late March and days later in early April confirmed its infrastructure had been attacked. Russian ransomware crew Black Basta claimed responsibility. The company has worked with the National Cyber Security Centre and other forensic experts to comb through the wreckage.

Early investigations indicated that 4 percent of its servers were accessed during the nine days the criminals were inside, Capita had said, but later revised this to 0.1 percent and admitted it had "evidence" customer data was stolen.

Last month Capita wrote to pension customers – it administers 450 pension schemes with 4.3 million members – to warn of potential unauthorized access to their data which was held on servers involved in the breach.

The UK's largest private pension provider, the Universities Superannuation Scheme, said it was advised by Capita to operate on the "assumption" that data was exfiltrated.

As if Capita and its customers didn't have enough to be dealing with, another security calamity showed up in May: an unsecured AWS bucket containing details of councils' resident tax and benefit data was left exposed to the public.

The Information Commissioner's Office told us at the end of last month it has received 90 reports "concerning Capita incidents."

Malik at Barings said today: "One would think Capita may have put robust measures in place following the first instance, but now innocent people, through no fault of their own, find themselves in really worrying circumstances.

"The legal action from Barings Law sends a powerful message that data breaches carry significant consequences and that companies must prioritize it. It serves as a reminder to organisations to take appropriate measures to safeguard personal data and prevent similar incidents in the future."

No papers have yet been served with a court, a Barings spokesman told us. Capita has three months to reply to the Letter of Claim, he added.

"Capita may respond to say they are investigating this breach as due to the size and nature of the breach these investigations take time. The ICO will also be investigating (18-24 months for this to be finalised). Capita could wait for ICO to conclude their investigation before fully responding.

"If Barings Law issue to court at this stage and do not have a substantive response, the Judge may want to know why they did not wait before issuing in the high court. For this reason, it is common practice to wait before a firm issues in the high court. This could take 18 -24 months from today."

Capita told us it had "no comment." ®

More about

TIP US OFF

Send us news


Other stories you might like