Capita says responding to ransomware attack will cost up to £20 million

Capita, the British outsourcing company hit by a ransomware attack in March, said on Wednesday the incident will cost up to £20 million ($25 million) to respond to.

The expenses have been attributed to “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment,” according to a statement sent to The Record.

Capita said the attack was "significantly restricted" after being interrupted by the company's security teams, although it confirmed that "customer, supplier and colleague data" may have been stolen.

The Black Basta ransomware gang has claimed to have been behind the attack. The group listed Capita among its listings of victims and published data apparently stolen from the company, including home addresses and passport images.

The listing for Capita had disappeared late last week, something that typically indicates the victim is either negotiating with the criminals or has made an extortion payment to have the data unpublished. Capita did not respond to questions regarding this.

The Record was unable to check whether the Capita listing remained on the Black Basta darknet site on Wednesday as the site was unreachable. It is normal for many ransomware groups’ sites to be only intermittently available.

In its statement, the company said: “Capita has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident.”

Among those impacted by the incident, the U.K.’s Pensions Regulator has written to hundreds of pension funds in Britain to tell them to check whether their clients’ data had been stolen from the company.

No gigabyte numbers

Capita’s initial statement in April about the incident to the Regulatory News Service — the formal mechanism for publicly listed companies in the U.K. to communicate to the market — said there was “no evidence of customer, supplier or colleague data having been compromised.”

The company subsequently clarified that such evidence may emerge as the company continues to analyze the incident: “Our investigations have not yet been able to confirm any evidence of customer, supplier or colleague data having been compromised.”

On Wednesday, the company said: “Capita understands now, based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate.”

The description of the size of Capita’s server estate is not an industry standard for describing how much data had been stolen. The company did not disclose how many gigabytes the hackers managed to steal nor the numbers of customers, suppliers, and colleagues who were impacted.

Capita’s share price has dropped more than 12% from a high of £38.64 ($47.97) on March 30, the day before the incident was first reported, to £33.72 ($42.58) on Wednesday morning.

In its statement, the company said that although it “expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident” its “underlying trading performance remains in line with expectations.”

It is not clear whether the company will face regulatory action over the breach. Capita said it is “working closely with all appropriate regulatory authorities and with customers, suppliers and colleagues to notify those affected and take any remaining necessary steps to address the incident.”