It’s the news most have been expecting, but has taken almost a month for it to be made public.

Start of the attack

Capita – The UK’s largest outsourcing company in the UK

On the 31st March, staff at Capita, the UK’s largest business process outsourcing & professional services company started reporting “Technical issues” which were impacting access to internal applications to most of its 50,000 staff members.

In a statement, Capita said that “Our IT security monitoring capabilities swiftly alerted us to the incident, and we quickly invoked our established and practiced technical crisis management protocols. Immediate steps were taken to successfully isolate and contain the issue.”

However, unofficial reports suggest something different, The Telegraph reported that a Capita source complained that “they had received no official updates about the IT outage” and only learned about the breach from a colleague.

It is understood Capita sent mass text messages to its workforce urging them not to log into corporate IT systems, but many of those messages were not received leaving staff wondering what was happening.

On the 3rd April, Capita released an updated statement about the technical issue confirming that it was in fact a “cyber Incident”.

Crucially, in the update Capita stress that “There is no evidence of customer, supplier or colleague data having been compromised”.

Capita “cyber incident” update – 3rd April

Potential data exfiltration

On the 20th April, Capita issued another update with a few more details of the breach, stating that the cyber incident seems to have begun on the 22nd March and had primarily affected internal Microsoft 365 applications, and that forensic experts were “investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration”.

Capita “cyber incident” update – 20th April

Black Basta

Capita have not officially said who they believe to be behind the cyber incident, however reports are circulating which suggest that Black Basta – the Russian-speaking threat actors are the perpetrators.

On April 8th Twitter user @BrettCallow posted a screenshot from Basta News – the breach site Black Basta operate to showcase the companies they have breached, and where they offer stolen data for sale.

Capita entry on Basta News – @BrettCallow

Black Basta are a fairly new ransomware gang, having made their Internet debut back in early 2022, but have quickly made a name for themselves with some fairly high-profile attacks against various organisations across multiple sectors.

Visiting the Basta News site now however does not turn up any information about the Capita breach. Currently there are 22 pages of breach data, none of which contain any data relating to Capita.

Basta News – No sign of Capita anymore

Ransom paid?

Typically, when a ransomware gang receives payment, they remove all data from their breach sites, so the fact that there is no longer any mention of Capita data on the Black Basta site could suggest that they have recieved a payment for their ransom attack.

Capita’s latest announcement says that they have now “restored virtually all client services that were impacted”.

Could this turn of events suggest that Capita have paid the ransom?

Who are Capita?

Capita was formed in 1984, as a division of the non-profit CIPFA (Chartered Institute of Public Finance and Accountancy). In 1987, it became an independent company with 33 staff . They were first listed on the London Stock Exchange in 1991.

Over the last 20 years, Capita have aggressively sought large contracts and company buy-outs to become one of the largest outsourcing organisations in the world.

Some notable events in Capitas history include:

  • 2011 – The acquisition of Ventura, a customer contact specialist.
  • 2011 – The acquisition of healthcare recruitment company Team24
  • 2012 – The successful bid to operate a 10 year contract for British Army recruitment services
  • 2013 – The purchase of the Fire Service College
  • 2015 – The successful bid to operate administrative services for NHS England
  • 2015 – The acquisition of Avocis, a German call centre business
  • 2019 – The launch of a consultancy division
  • 2019 – The successful bid to operate the Defence Fire and Rescue Service at 53 military sites across the world
  • 2020 – The successful bid to deliver training to the Royal Navy & Royal Marines

As well as the above services to UK government and military operations, Capita also provide services to hundreds of private-sector organisations and local councils.

Among their customers are organisations such as o2, FC Bayern Munich, Southern Water, TfL, Met Police, Sheffield City Council, North Tyneside Council, Severn Trent water, The Pensions Regulator, Enfield council, Barnet council, Westminster council, The Financial Services Compensation Scheme, and Pfizer.

Its plain to see that a serious attack on such an integrated organisation who has data relating to millions of individuals is something many will be concerned about.

Hopefully, Capita’s statement that only 4% of its IT system being affected is true and that damage is limited to a very small proportion of what it could be.

I shall be watching for more announcements and provide updates when they become available.

Related Articles

365 days of blogs / April

(31/12/23) Blog 365 – The end of the year – the end of my challenge

Mark
365 days of blogs / April

(25/11/23) Blog 329 – UK law firms hit with supply chain attack

Mark
365 days of blogs / April

(31-01-23) Blog 31 – JD sports hit with cyber attack

Mark
365 days of blogs / April

(19/07/23) Blog 200 – Twitter hacker from UK sentenced to five years behind bars

Mark
365 days of blogs / April

(25/09/23) Blog 268 – Phishing, SMShing, Vishing, now Quishing

Mark