Capita warns customers they should assume data was stolen

Business process outsourcing firm Capita is warning customers to assume that their data was stolen in a cyberattack that affected its systems in early April.

Almost six weeks after the attack was disclosed, Capita warned Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, to react to the incident under the assumption that their members’ data was stolen.

USS manages the pensions of over 500,000 members from UK universities and Higher Education institutions (and their families), investing £82.2 billion (over $102 billion) on their behalf.

Capita told USS that servers accessed by the hackers held roughly 470,000 active, deferred, and retired members’ personal information, including names, dates of birth, National Insurance numbers, and USS member numbers.

“While Capita cannot currently confirm if this data was definitively ‘exfiltrated’ (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was. We are awaiting receipt of the specific data from Capita, which we will in turn need to check and process,” USS said on Friday.

“We have reported this incident to the ICO and will work with them on any investigation they choose to conduct and any recommendations they might subsequently make to USS. We have also informed the Pensions Regulator and the Financial Conduct Authority.”

Up to 350 UK corporate retirement schemes were affected by the Capita attack per industry sources, “making it the largest such hack in British history,” according to The Telegraph,

Black Basta claims to have stolen data

While initially, Capita described the attack as a “technical problem,” the company acknowledged three days later that a weekend-long outage was the result of a cyberattack.

On April 17, the Black Basta ransomware gang added a private entry for Capita to its data leak site using a private link, threatening to sell allegedly stolen data, including personal bank account details, physical addresses, passport scans, and other sensitive info.

Capita entry on Black Basta leak blog
Capita entry on Black Basta’s leak blog (Dominic Alvieri)

A Capita spokesperson declined to provide a statement when BleepingComputer reached out for a comment on the ransomware gang’s allegations.

However, on April 20th, Capita revealed that the attackers exfiltrated files from roughly 4% of its “server estate,” including systems customer, supplier, or colleague data after gaining access to Capita’s systems on March 22 and remaining active until the firm discovered the breach on March 31.

After another two weeks, on May 5th, Capita published a new update saying that “data was exfiltrated from less than 0.1% of its server estate.”

The company also revealed that it’s expecting to incur exceptional costs linked to the April incident of up to £20 million (around $25 million).

London-based Capita is a government contractor that also works with clients in the finance, IT, healthcare, and education sectors.

Its customer list includes the Department for Work and Pensions, the National Health Service (NHS), the UK military, as well as high-profile companies such as Vodafone, O2, and the Royal Bank of Scotland.


(c) Sergiu Gatlan