Capita’s flimsy, unacceptable response to getting hacked won’t calm contractor nerves

It’s fair to say contractors and partners of Capita alike have been nervous in anticipation of further updates from the outsourcing company since it admitted suffering a cyberattack in March 2023, in which sensitive data seems to have been stolen by hackers.

Also aware of the fallout and the risks stemming from Capita’s data breach is the Information Commissioner’s Office (ICO), which issued its own update on May 25th, writes Mel Hzeg of Gerrish Legal.

Ninety victims so far

The ICO has spoken of a “large number of reports” from organisations directly affected by the incident. There’s that nervousness. 

The commissioner’s investigation into the Capita data breach is still ongoing.

But even at this stage, 90 organisations which are clients of Capita have confirmed that their sensitive data has been stolen.

Flimsy

Our view as a data law firm specialising in clients whose interests are commercial, is that Capita’s handling of the cyberattack has been flimsy -- at best. The company backtracked on their initial statement that the March hacking of their servers did not incur a breach of customer, supplier, or colleague data.

Since that statement, a ransomware group has claimed credit for the cyberattack on Capita, prompting Capita to release a statement confirming that sensitive data has been stolen, but without specifying the affected parties or the type of data “exfiltrated.”

Unacceptable

We can tell that Capita’s response including its backtracking has made the public sceptical about Capita’s reassurances that the exposure of half a terabyte of data from an unprotected Amazon Web Services bucket earlier in May, did not contain any personal data.

The flimsiness of Capita’s response to being hacked has also raised concerns among its clients, notably government bodies, which have deemed Capita’s security to be “unacceptable.” Britain's largest pension fund, the Universities Superannuation Scheme, claims that 470,000 individuals' names, birthdates, National Insurance Numbers, USS member numbers and retirement data were stolen in the attack on Capita.

A £15million pay-out rumour

For its part, Capita claims that any data which has been stolen is protected and secure. We wouldn’t expect Capita to admit the following, but it sounds like Capita paid a ransom to the hackers -- in order to protect the data.

It is rumoured that this payment would have been around £10 million to £15 million. Even if this pay-out claim were to emerge as true, the hackers would obviously be under no obligation to keep the sensitive data private. They are cyber-criminals, after all.

What can contractors who work with Capita do?

While it seems like Capita is not publicly saying whose data has been breached, it is possible that they are telling the victims privately.

If you are concerned that your data might have been stolen in the cyberattack, it is likely that Capita will contact you to inform you, and provide details on the potential impact on your personal information.

It is also possible that the ICO will directly contact you. As previously mentioned, over 90 organisations have contacted the ICO for Capita-related breaches, therefore if you are identified as a victim of the breach, the ICO might contact you and help you take the necessary steps to minimise any damage.

If you suspect that your data may have been stolen in the Capita breach but have not received any official communication, you can consider reaching out to Capita directly or contacting the ICO for guidance and assistance in verifying the status of your personal or company information.

Even if you have not received direct communication regarding your data being compromised, it is crucial to remain vigilant.

Take proactive steps to protect your personal information, such as monitoring your financial accounts, enabling two-factor authentication, and being cautious of suspicious emails or messages. It is possible that a hacker who has obtained your data does not have enough to get any financial gain from it and he/she may try to pull further sensitive info by contacting you directly.

Not out of the jittery woods just yet…

It is likely we will hear more updates in the coming weeks and months from the ICO regarding the full consequences of the Capita breach. So that nervousness, for now, is here to stay -- unless the ICO, or even better Capita itself, give us all a reason to feel otherwise.