UK data protection regulator receiving ‘large number of reports’ about Capita

Britain’s data protection regulator said on Thursday it was “receiving a large number of reports from organizations directly affected” by two data breaches at the outsourcing company Capita.

Capita was hit by a ransomware attack in March, which it estimated could cost up to £20 million ($25 million) for the company to respond to based on “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.”

Under British data protection laws, however, the company could also face a fine of up to 4% of its global turnover — £2.8 billion ($3.45 billion) in the fiscal year ending March 2023 — if it is found to have failed to have met its data protection duties by the Information Commissioner’s Office (ICO).

The second data breach was first reported by TechCrunch earlier this month, revealing that Capita had for seven years left thousands of customer files exposed online in an unprotected Amazon Web Services S3 bucket that did not even require a password to access.

"We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage," the ICO said on Twitter, adding that it was making enquiries about both of these incidents.

"We are encouraging organizations that use Capita's services to check their own position regarding these incidents and determine if the personal data they hold has been affected,” the ICO stated.

A growing number of local authorities in the United Kingdom have criticized Capita over the exposed S3 bucket. Colchester City Council, which contracts Capita for financial services, has accused the company of “unsafe storage of personal data” over a historical incident that predates the ransomware attack but came to light afterwards.

Rochford District Council also issued a statement, with interim Resources Director Tim Willis stating the authority was “very disappointed” and was “working closely with Capita to deal with this matter and to understand how the data breach from the company occurred."

At the same time, a large number of pension providers in the U.K. have been impacted by the ransomware attack, with the country’s Pensions Regulator writing to hundreds of pension funds to tell them to check whether clients’ data had been stolen.

Data regarding around 470,000 members of the Universities Superannuation Scheme (USS) — Britain’s largest private sector pension scheme managing more than £89 billion as of August 2021 — is feared to have been accessed. In a statement, the USS said names, dates of birth and national insurance numbers were held on the Capita servers accessed by the hackers.

When the ransomware attack first came to light, Capita had initially said there was “no evidence of customer, supplier or colleague data having been compromised.”

The company then clarified that such evidence could emerge as the company continued to analyze the incident, before it finally confirmed “based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate.”

The description of the size of Capita’s server estate is not an industry standard for describing how much data had been stolen. The company did not disclose how many gigabytes the hackers managed to steal nor the numbers of customers, suppliers and colleagues who were impacted.