In early April, the UK outsourcing giant Capita confirmed that its staff was locked out of their accounts on Friday after a cyber incident.
Capita is one of the government’s biggest suppliers, with £6.5bn of public sector contracts, . The outsourcing firm signed numerous contracts with the Ministry of Defence.
In an update shared on April 3 about the incident, the company announced it has experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications.
The attack disrupted some services provided to individual clients, but the company pointed out that the majority of its client services were not impacted.
“Our IT security monitoring capabilities swiftly alerted us to the incident, and we quickly invoked our established and practised technical crisis management protocols. Immediate steps were taken to successfully isolate and contain the issue. The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.” .
“Working in collaboration with our specialist technical partners, we have restored Capita colleague access to Microsoft Office 365 and we are making good progress restoring remaining client services in a secure and controlled manner.”
On April 17, the Black Basta ransomware gang added Capita to its data leak site, claiming the theft of personal and financial data, including bank account details, physical addresses, and passport scans.
On May 10, the company published a new update that states that some data was exfiltrated from less than 0.1% of its server estate
“Capita expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.” .
On April 20, the company published an update to announce that it had experienced a cyber incident that impacted access to internal Microsoft Office 365 applications.
“From our investigations to date, it appears that the incident arose following initial unauthorised access on or around 22 March and was interrupted by Capita on 31 March. As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate.” . “There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”
This week, the company informed Universities Superannuation Scheme (USS), the largest pension scheme in the UK, that their members’ data was stolen as a result of the incident.
Threat actors had access to Capita servers holding details for roughly 470,000 active, deferred, and retired members’ personal information.
Exposed data include names, dates of birth, National Insurance numbers, and USS member numbers.
“While it has been confirmed that USS member data held on Hartlink has not been compromised, we were informed on Thursday 11 May that regrettably details of USS members were held on the Capita servers accessed by the hackers.” reads a statement published by USS. “While Capita cannot currently confirm if this data was definitively “exfiltrated” (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here:
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Capita)