Fraud Management & Cybercrime , General Data Protection Regulation (GDPR) , Incident & Breach Response
Capita Issued Erroneous Breach Details, Officials ReportLocal Authority Finds Sensitive Data Was Exposed Despite Assurances to the Contrary
Data breach notifications tied to separate cybersecurity incidents at British outsourcing giant Capita continue to roll in amid mounting signs the multibillion-pound company doesn't have a firm grip on how much data it exposed.
See Also: 2022 Unit 42 Incident Response Report
As many as 350 pension funds and multiple local governments are among the organizations warning that Capita lost control of customers' or residents' personal identifiable information, potentially leaving those individuals at increased risk from fraudsters.
Capita's first cybersecurity incident was a hacking intrusion it detected March 31. The company described the hack as "a cyber incident primarily impacting access to internal applications" and reported that no data appeared to have been stolen. A ransomware group subsequently claimed credit, and the company belatedly confirmed sensitive data had been stolen and "might include customer, supplier or colleague data," without offering any further specifics.
The company has resorted to corporate doublespeak in a bid to minimize the severity of the hack, trotting out a made-up measure of affected "server estate" to measure the severity of a hacking incident (see: Elementary Data Breach Questions Remain, My Dear Capita).
Capita holds more than $8 billion in U.K. government contracts. Customers include the National Health Service, Britain's military, the Royal Bank of Scotland and telecommunications giants O2 and Vodafone, who collectively handle data pertaining to millions of individuals.
The second incident involved an unsecured Amazon Web Services bucket containing more than half a terabyte of data. British security researcher Kevin Beaumont said he found and reported the AWS data exposure to Capita on April 24. The bucket had been exposed to the internet and unprotected by a password since 2016, he said, putting at risk 655 gigabytes of data spread across 3,000 files.
Capita told TechCrunch the exposed AWS bucket included "release notes and user guides, which are routinely published alongside software releases in line with standard industry practice." Capita did not state that personal data was among the types of information exposed. It did say the bucket was now secure.
British local governments beg to differ. The Adur & Worthing Councils said in a statement Tuesday that they don't believe Capita's assurances that the AWS breach "did not involve personal data" for its residents.
"Our internal investigation has involved reviewing each of the files that Capita has said was involved," said the southern England governments, which are run jointly. "Unfortunately, this has revealed that those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents," although they added that "at this stage we consider that the risk to our residents appears minimal."
How did an IT consultancy the size of Capita fail to spot that personal data was exposed? The company didn't respond to a request for comment.
Other local authorities affected by the AWS breach include Colchester City Council, which has accused Capita of "unsafe storage of personal data" pertaining to its financial services contract. At least four other councils - including Coventry, Rochford District and South Staffordshire - were also affected by the AWS data exposure, the Financial Times reported.
Publicly exposing an AWS bucket is a security no-no. By default, AWS buckets are password-protected, meaning that whoever rolled out the bucket for Capita deactivated the crucial security control.
"We are extremely unhappy with both the data breach itself and Capita's failure to provide us with swift and accurate information about what they have discovered," the Adur & Worthing Councils said. They've referred the matter to Britain's Information Commissioner's Office, which enforces the country's privacy laws.
Don't Say 'Ransomware'
Keeping track of which Capita customers fell victim to which breach is challenging. For the apparent ransomware attack, Capita on April 20 reported that the intrusion appeared to have run from March 22 to March 31, when it was "interrupted by Capita."
The ransomware group Black Basta on April 8 claimed credit for the attack and posted samples of stolen data. The group quickly removed the information from its data leak site for unclear reasons, but it could tie to criminals paying for exclusive use or the victim paying a ransom.
Thus far, Britain's largest pension fund, the Universities Superannuation Scheme, says 470,000 individuals' name, birthdates, National Insurance Numbers, USS member numbers and retirement data were stolen in the attack. USS has offered victims 12 months of identity theft monitoring.
Other organizations' pension funds have reported falling victim, with the count of affected individuals standing at 100,000 for supermarket and retail giant Marks and Spencer Group, 50,000 members or former members of Telent's GEC scheme now being run by pension insurance specialist Rothesay, and 32,000 at drinks giant Diageo.
Capita has made vague assurances about securing exposed data, but it declined to say whether or not it had paid a ransom. The company has yet to use the word "ransomware" when describing the attack.
Affected individuals deserve better from Capita. As the U.S. Federal Trade Commission advises breached businesses: "Clearly describe what you know about the compromise," including how it happened and what information was exposed. Also tell people how to best protect themselves, "given the type of information exposed."
By those measures, Capita has failed, not least by reporting May 10 that "some data was exfiltrated from less than 0.1% of its server estate," which is a nonsense measurement. More clearly, Capita said its cleanup costs could reach $25 million.
While corporate apologies tend toward the procedural, Capita's three "cyber incident updates" to date about the apparent ransomware attack make no statement of regret to affected customers - or to their customers.
Based in London, Capita answers not to the FTC but the ICO, which enforces the U.K. General Data Protection Regulation. Capita says it has informed affected customers about the hack attack and AWS exposure, as required by British law. These customers must now inform their users or customers - aka the affected individuals - directly.
For a company whose name literally means individual, and which trumpets its ability to help others "achieve better outcomes," Capita's inability to fully understand - or communicate - the impact of its recent breaches on individuals certainly seems ironic.
Likely its clients didn't expect to pay for this type of outsourcing.