ICO inundated with reports over Capita data breach

new gloves2Over 90 organisations have reported themselves to the Information Commissioner’s Office over the mass data breach at outsourcing giant Capita, whose clients include financial services giants Aviva and Phoenix Group as well as public sector and government departments.

The cyber breach – thought to be a ransomware attack – dates back to March this year when the company was struck by a three-day outage, affecting its Office 365 apps which includes email, Teams virtual meetings and Word and Excel.

At the time, staff said they were unable to log into their laptops, with their usual password rejected as “incorrect”. They said employees could not access Capita’s systems or any other computer programmes.

Earlier this month, it emerged that the Capita had also left a cache of personal data unsecured online in an Amazon Web Services file.

However, the company has attempted to downplay the issue, insisting the first attack affected just 4% of its servers, and that it had only found “some evidence of limited data exfiltration”, while it claimed the AWS file was now “secure and no longer accessible”.

UK financial regulator Financial Conduct Authority, however, has also contacted Capita clients, urging companies including insurers and pension funds to determine customer data losses from the data breach.

The Pensions Regulator has also written to the hundreds of pension funds that employ Capita to help administer their payment systems, urging them to “determine whether there is a risk to their scheme’s data”.

British drinks giant Diageo – which owns Guinness, Gordon’s Gin and Johnnie Walker, among others – has confirmed that some of its 32,000 pension members have been impacted by the breach although it is still trying to determine the extent.

Hundreds of thousands of people are now being warned that they could have been affected by the hack.

The ICO has confirmed that over 90 organisations have been in contact regarding Capita. In a statement the regulator said: “We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries.

“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”

Security researcher Kevin Beaumont told the BBC the first incident, which he is “very confident” was a ransomware attack, was significant because of the breadth of data potentially at risk which could expose victims to fraud.

Beaumont claimed he had alerted Capita to the second issue, which left files unsecured online, in April but it only emerged publicly the following month.

Capita said in a statement: “Capita continues to work closely with specialist advisers and forensic experts to investigate the cyber incident and we have taken extensive steps to recover and secure the data.”

Related stories
KFC owner warns customers over potential data theft
Royal Mail ransom demands ‘hold lessons for all firms’
Firms suffer as Royal Mail fails to lift block on new post
Tech security staffer gets 5 years for ransomware spree
Wakey, wakey: Data breaches cost UK firms £4bn a year
Under siege: Marketers’ favourite password is ‘123456’