Nice Capita: Incident Impact Research

Posted On: June 17, 2023
Written By: Patryk Machowiak

Executive Summary

Capita is a British multinational company that specializes in business process outsourcing and professional services. It is the largest such company in the UK, with a market share of over 29%. Capita has a wide range of clients, including central government, local government, and the private sector. It also has a property and infrastructure consultancy division.

I have written a previous report[1] on Capita cyber incident was on the 17th of April 2023 and it was more focused on technical analysis of the known behaviour of the ransomware group responsible for incident. Let’s do some recap. At the time of reporting, Capita:

• Indicated that the group “Black Basta” was responsible for ransomware attack

• Did not believe there was a data breach yet, even though the ransomware group modus operandi is to exfiltrate the data before releasing ransomware, as described in our report[1]

Regardless of Capita’s own statement at the time, The Times[2] was already reporting on the personal bank account details, addresses and passport photos being leaked online as a result of the attack.

Why does this Matter?

Following the ransomware attack which took place on the 22nd of March 2023 Capita was reluctant to admit the data breach. Considering the number and type of clients Capita deals with, the data breach would have a large impact on various organisations as well as Individuals.

The company has finally admitted on the 20th of April 2023 that data breach[3] took place. The company did not specify how many records where affected but made a vague statement indicating that some small portion of their systems have been affected and data of some clients, suppliers and individuals have been breached.

It is important to understand that Capita holds a “treasure trove” of personal and sensitive information which can be used in further criminal activity including identity theft, fraud and others.

The type of data included in the breach are:

• Names, addresses and dates of birth

• Phone numbers, email addresses

• Bank account numbers and credit card numbers

• NHS numbers and diagnoses

• Employment information

The organisations which are customers or suppliers to Capita, the data includes:

Local authorities:

• Government agencies such as DWP, MoJ and NHS

• Insurance companies, banks and utility providers

• Some Charities and non-profit organisations

Many would say that we already know about Capita and there is a data breach so let’s deal with it and hopefully only small portion of data was stolen, not that it is any consolation to the affected organisations or individuals.

Unfortunately the above its not the end of the Capita problems. On 24th of April 2023 the security researcher Kevin Beaumont[4] discovered and reported unsecured AWS bucket containing 655 gigabytes of data. The researcher claims that the data in the misconfigured bucket was exposed unprotected to the internet since 2016.

Capita has claimed that there were no personal or sensitive data present in the AWS storage bucket. The excerpt from the statement: “[..]release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”

The company refuses to admit any data breach from this second incident. This is a peculiar position Capita finds themselves in as some of their customers such as The Adur & Worthing Councils reviewed all exposed files from the AWS bucket and found that some of the files did contain some personal data belonging to about 100 residents of these councils[4]. This is in direct opposition to what Capita claims was in the AWS storage.

Other local authorities affected by AWS data leak[4][5]:

• Colchester City Council

• Coventry

• Rochford District

• South Staffordshire

Considering that few known Local authorities have already confirmed data breaches as a result of the incident, Capita has estimated their costs incurred due to the incident between £15m to £20m.

These costs do not include the impact on individual local authorities, companies, any of the Government agencies or Pension funds affected. It is not clear how Capita arrived at this figure and the company is not releasing that information.

The calculations made by Capita might seem high, however, considering number and type of organisations affected that £20m seems small in comparison to number of people which are potentially already exploited or whose data will be exploited as a result of the data breach. Unfortunately there is no reliable way of tracking the individual victims of the data breach.

On the 29th of May 2023, BBC[6] reported that around 90 organisations have already reported breaches of personal data held by Capita. That number has been made public by Information Commissioners Office (ICO)[6] in May 2023. In their statement ICO has confirmed two separate data breaches, the first one related to the ransomware and the second one related to AWS bucket data leak.

Following ICO statements, The Pension Regulator (TPP)[6] has asked over 300 pension funds to check if their data has been involved in the attack. In direct response to TPP action the Universities Superannuation Scheme (USS) wrote to all 500,000 members informing them about the breach and the fact that their data was part of it. The USS reports that in addition to the type of data already determined the National Insurance Numbers have also been included in the breached data.

The impact of the incident is wide spread and will unfortunately filter down the line to the individual people whose data is at risk. Needless to say the total costs of all involved will most likely be few times higher than Capita’s own calculations, and the stress, and any adverse effects on individuals will have lasting impact.

If you are interested to see how a single data breach impact can escalate, we have written a separate article on that. You can read it on LinkedIn “The Real Impact of a Data Breach Incident: A Comprehensive Examination of its Effects on Breached Companies, Customers, and the Supply Chain”. The Figure 2 presents a visualisation of the extended data breach impact.

How to Protect Yourself?

The sad truth is that the stolen data is already out in a wild. Unfortunately Capita’s unwillingness to admit data breach and its scope certainly puts a lot of people and organisations in a position where they are not even sure if their data was stolen and to what extent.

Considering that Capita is a supplier to Government agencies, disclosing personal addresses of people working for these agencies, might put personal safety of some of these employees at risk.

In addition to that all other forms of fraud and identity theft, as well as impersonations to leverage other people are now in scope of attack for all whose data has been exposed.

The company does not elaborate on any of that in their statements, Capita rather tries to gloss over the facts and it seems like they just wait until the public scrutiny blows over.

Let’s see what options individuals have to limit the impact of data breach:

• In terms of personal addresses, other than moving to different location, there is not much what can be done. The only other thing going forward could be to set up a virtual address which will be used for all letters. This will not protect from any activity as a result of Capita breach but it will protect personal address from being found out should another breach occur, provided the breach is not related to the organisation providing virtual address.

• The telephone numbers can be changed but it is a hassle. In similar way the IP based virtual phone numbers can be set up, and that number can be then used for all online and other activity. In case of any breach the IP phone can be deleted and new set forwarded again to the actual phone number.

• Implement and update limited technical measures (Anti-virus, Anti-malware, Spam-filters in emails, Suspicious caller identification filter, etc), this should help combat large amount of targeted spam and some potential phishing emails tailored to the individual situation.

• Raise your awareness of phishing attacks, there is a plethora of information available from reputable sources which will help individuals to be more mindful and better at recognising potential attacks.

• Ask organisations you are dealing with to explain in simple terms how your data is protected. Do a bit of the research or reach out to someone who knows, to check if the company claim is valid.

• Verify the data they hold on you. Under GDPR rules the individual can request the data. organisation holds on the individual as well as deletion of data.

• Question the necessity of organisations to hold certain data about individual and its usage.

• Does the individual need all the apps on their phone?, probably not.

Data security is everyone’s business. In ideal world everyone would be interested where their data is being used and accumulated. Unfortunately this is not an ideal world and many are sleep walking into disasters just to be rudely woken up when the incidents happen.

Conclusion

The Capita ransomware incident has a lasting impact on the people who have been affected. The data that was stolen includes sensitive information that could be used for identity theft, fraud, and other crimes. The victims of the hack may have to deal with the consequences for years to come.

The process of identifying all of the victims of the data breach is lengthy and difficult. Capita has been slow to release information about the incident, thus, many of the victims may never know if their data was stolen.

It is important to take steps to protect your personal information because even large, well-known companies can be breached. The Capita incident is a reminder that no one is immune to data breaches.