If you’ve been following my 365 days of blogs, you may remember that last month (21st April to be precise) I posted about the cyber attack which had affected outsourcing giant Capita earlier in the year.
In this short post I give an update to the ongoing events.
In a statement on Wednesday, Capita said the aftermath of the “cyber incident” would cost between £15m and £20m to clean up.
Stern words
Capita are under pressure from a number of organisations to provide evidence that sensitive customer data has not been breached.
The Financial Conduct Authority (FCA) is concerned that a number of pension funds which use Capita’s administrative software have been affected and are seeking assurances that their members’ data has not been stolen.
The company is also faceing questions from the BBC about whether millions of households’ data was placed at risk, as the company holds a £456m contract to collect television licence payments.
Not as bad as 1st thought
In their most recent update, /capita says that after performing comprehensive forensic investigations, they believe that data was exfiltrated from less than 0.1% of its server estate. This figure is considerably less that their previous estimate of 4% of its servers which were believed to have been affected by the cyber attack.
The cost of recovery
The figure of £20M quoted by Capita includes the payment of “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment”.
What the recent statement does not say however, is whether there will be any fines imposed by the ICO over the data breach. Which could run to a much greater figure as under GDPR, the ICO has the power to fine companies found to have bene negligent with PII (Personally Identifiable Information) a maximum of 20M Euros or 4% of global tournover.
More importantly, the statement did not say whether the company was including any ransom payment int he £20M price tag.
As mentioned in my previous post – Samples of the stolen data were visible on the Black Basta website for a short while before disappearing – something which suggests a payment was made.
Who knows what the true cost of thsi attack was / will be – I doubt the public will ever know.