Capita accused of ‘unsafe storage of personal data’ following data breach

Capita, the British outsourcing company hit by a ransomware attack in March, is facing a growing list of complaints from customers following the revelation of another data breach.

Colchester City Council, which contracts Capita for financial services, has accused the company of “unsafe storage of personal data” over an historical incident that predates the ransomware attack but came to light afterwards.

Rochford District Council also has issued a statement, with interim Resources Director Tim Willis stating the authority was “very disappointed” and was “working closely with Capita to deal with this matter and to understand how the data breach from the company occurred."

As first reported by TechCrunch earlier this month, Capita had for seven years left thousands of customer files exposed online in an unprotected Amazon Web Services S3 bucket that did not even require a password to access.

A spokesperson for Capita said: “We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.”

The spokesperson did not explain how many of the company’s clients were affected, although Colchester City Council said “several local authorities around the country” were impacted, adding the council had expressed its “extreme disappointment” with the company over the incident.

Richard Block, the council’s chief operation officer, stated: “I want to reassure all residents that we are taking steps with Capita to fully understand how they have caused this data breach as well as any further action required.”

Colchester said it had notified the Information Commissioner’s Office, the U.K.’s data protection regulator, which can fine companies up to 4% of their global turnover if they are found to have lost data due to inadequate security protections.

Ransomware fallout continues

The complaints about the second breach come as Capita is attempting to deal with the fallout of the ransomware attack from March, which could cost up to £20 million ($25 million) for the company to respond to.

The expenses have been attributed to “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment,” according to a statement sent to The Record.

Capita did not respond to questions about whether it had paid a ransom fee to the Black Basta cybercrime group, which has since removed the company’s listing on its darknet site.

A growing number of pension providers in the U.K. have been impacted by the ransomware attack, with the country’s Pensions Regulator writing to hundreds of pension funds to tell them to check whether clients’ data had been stolen.

Data regarding around 470,000 members of the Universities Superannuation Scheme (USS), Britain’s largest private sector pension scheme managing more than £89 billion as of August 2021, is feared to have been accessed.

In a statement, the USS said names, dates of birth and national insurance numbers were held on the Capita servers accessed by the hackers.

“While Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was,” said USS.

“We will be writing to each of the members affected by this – and, where applicable, their employers – as soon as possible to make them aware, to apologise for any distress or inconvenience caused, and to provide ongoing support and advice,” the scheme said.

When the ransomware attack first came to light, Capita had initially said there was “no evidence of customer, supplier or colleague data having been compromised.”

The company then clarified that such evidence could emerge as the company continued to analyze the incident, before it finally confirmed “based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate.”

The description of the size of Capita’s server estate is not an industry standard for describing how much data had been stolen. The company did not disclose how many gigabytes the hackers managed to steal nor the numbers of customers, suppliers, and colleagues who were impacted.

Capita’s share price has dropped more than 18% from £38.64 ($47.97) on March 30, the day before the incident was first reported to £31.50 ($39.18) as of Wednesday morning.

In its statement, the company said that although it “expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident” its “underlying trading performance remains in line with expectations.”

It is not clear whether the company will face regulatory action over the breach. Capita said it is “working closely with all appropriate regulatory authorities and with customers, suppliers and colleagues to notify those affected and take any remaining necessary steps to address the incident.”