Capita says cyberattack contributed to annual loss of more than £106 million

Capita, the British outsourcing company hit by a ransomware attack last March, has reported losing more than £106.6 million ($135.5 million) over the last year — roughly a quarter of which was directly caused by the incident.

The company had initially said it expected the incident to cost up to £20 million ($25.4 million) to respond to before later revising this upwards. Its annual results published Wednesday confirmed net costs from the attack of £25.3 million ($32 million).

Capita attributed the rest of its losses to high costs, including business exits and goodwill impairment. Alongside its annual results on Wednesday, the company's chief executive announced cost-cutting plans aimed to address the loss.

Since the incident, which was claimed by the Black Basta group, the company’s share price has dropped by more than 54% — plummeting from a high of £38.64 on March 30, the day before the incident was first reported, to £16.18 at the time of writing.

According to the annual report, Capita’s net promoter score — a customer experience metric — dropped to +16 from +26 as a result of the cyber incident, which particularly impacted its pensions administration business.

The British Pensions Regulator wrote to hundreds of pension funds in the wake of the attack to tell them to check whether clients’ data had been stolen.

When the incident first came to light, Capita had initially said there was “no evidence of customer, supplier or colleague data having been compromised.”

The company then clarified that such evidence could emerge as the company continued to analyze the incident, before it finally confirmed “based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate.”

Giving the percentage of the compromised server estate is not an industry standard for conveying how much data has been stolen. The company did not disclose how many gigabytes the hackers managed to steal nor the numbers of customers, suppliers and colleagues who were impacted.

Britain’s data protection regulator said in May it had received “a large number of reports from organizations directly affected” by two data breaches at the company, the first connected to the ransomware incident and the second relating to an exposed Amazon Web Service S3 bucket.

Colchester City Council, which contracts Capita for financial services, accused the company of “unsafe storage of personal data” over the S3 incident. Rochford District Council issued a statement, with interim Resources Director Tim Willis stating the authority was “very disappointed” and “working closely with Capita to deal with this matter and to understand how the data breach from the company occurred."

Under British data protection laws, the company could also face a fine of up to 4% of its global turnover — £2.8 billion ($3.45 billion) as of December 2023 — if it is found to have failed to have met its data protection duties in either of the incidents.

In its annual report, Capita stated: “No provision has been made for any costs in respect of potential claims or regulatory penalties in respect of the incident as it is not possible, at this stage, to reliably estimate their value.”