Cyber hack: 90 organizations report Capita data breach to watchdog

Personal data from councils and pensions funds was compromised in the breach.

About 90 organisations say they have seen some impact from the breach, and have contacted the Information Commissioner’s Office (ICO).

Capita, an outsourcing giant which handles the personal information of millions of people, was hacked in March. News then emerged that Capita had also left a pool of data unsecured online.

After the hack, personal data of users, some of it sensitive, such as home addresses and passport images was found on the dark web.

“We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries”, said a spokesperson at the ICO.

“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected.” 

Cyber incident

On March 31, Capita was alerted to a cyber incident that was primarily affecting access to internal applications. Capita said that its IT security monitoring capabilities swiftly highlighted the incident, and that Capita’s staff took immediate action to halt the attack and mitigate the damage.

However, initially, Capita indicated that there were no signs of a data breach affecting customer, supplier or colleague data.

Then on April 3, the company announced a cyber incident which affected access to internal Microsoft Office 365 applications, and potentially affecting around 4% of Capita’s server estate.

“The majority of Capita’s client services were not affected by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted”, the company asserted.

“The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita.”

Richard Block, Colchester City Council’s Chief Operating Officer

Later in May, the company announced that based on its own forensic work as well as that of third-party providers, it estimated that less than 0.1% of data was exfiltrated from its server estate. 

Capita expects that the breach will cost it approximately £15m to £20m ($18.6m-$24.8m), including specialist professional fees, recovery and remediation costs, plus funds dedicated to reinforcing its cyber security environment.

The company is also continuing to work closely with specialist advisers and forensic experts to investigate the incident, and to be able to provide support and reassurance to any customer, supplier or colleague affected by the data exfiltration.

Councils data

Even if ‘only’ less than 0.1% of data was compromised, many of the exposed organizations and councils have voiced their concerns. Colchester City Council, one of those affected, launched a probe in response to what is perceived to be the “unsafe storage of personal data”.

Richard Block, Colchester City Council’s Chief Operating Officer, said: “The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita.”

“We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries.”

The ICO

Block suggested that he was reassured that no personal bank account details had been compromised, however, he continued saying:

“We require all parties involved in the handling of sensitive information to adhere to the highest standards of data protection and it is unacceptable that Capita has failed to meet these required standards. As a result, we are considering what further action may be appropriate regarding Capita.”

Coventry City Council, Adur and Worthing, Rochford District Council, Derby City Council, and South Staffordshire have also said to be affected by the breach.

“We take matters of information security very seriously and have voluntarily reported this incident to the Information Commissioner’s Office; the UK’s independent body set up to uphold information rights”, commented Alison Parkin, Director of Financial Services at Derby City Council.

“We will continue to work with Capita and the ICO to understand the cause of the data breach and how to prevent it from happening again in the future.”

Pension customers affected

Hundreds of pensions funds were also affected by the hack. One of the them, the M&S Pension scheme, voiced concerns about the breach:

“Capita cannot be certain that this data has been accessed, but we believe it’s appropriate to act as if this is the case and warn affected members about the potential risks. There is the possibility that if personal data is accessed it could be used for fraud, identity theft or to send malicious emails.”

Many affected organizations have been in contact with their customers about the breach. The Pensions Regulator has also encouraged customers to check themselves if they might have been affected. “If you use Capita’s services, you should check whether your pension scheme’s data could be affected.”

“Organizations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organization decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary,” the ICO added.