Capita's handling of cyber attack shows companies still fail at breach reporting

Capita logo appearing a smartphone
(Image credit: Getty Images)

Capita’s recent cyber incident has highlighted a long-running trend in which businesses have failed to adequately inform customers over the extent of a breach. 

The IT outsourcing giant, which provides services to a range of clients including the UK government, revealed in March that it had suffered a “cyber incident” that severely disrupted internal IT services. 

However, the firm said at the time that there was “no evidence” that any data had been compromised in the incident as it sought to allay customer fears over a potential domino-effect breach unfolding. 

While this may have alleviated concerns in the first instance, the company’s response thereafter highlights a continued trend of businesses failing to fully inform affected customers over the disastrous nature of a breach. 

Last month, the company revealed that there was “some evidence of limited data exfiltration” and that compromised data “might include” customer, supplier, and even staff data. 

This announcement, which came weeks after the initial disclosure of the incident, has now been followed by the revelation that client pension data was likely to have been compromised during the cyber incident. 

A report from the Financial Times on 4 May revealed that Capita has informed affected clients of the situation and that it is still investigating the scale of the breach. 

Capita told Reuters that it is “working closely with specialist advisers and forensic experts” to “provide assurance around any potential customer, suppliers, or colleague data exfiltration”. 

Capita’s botched comms could harm customer confidence 

While Capita now appears to have a limited handle on things and is communicating with affected clients, the situation bears concerning similarities to several high-profile data breaches in recent months - a surprising number of which were handled poorly from a comms perspective. 

RELATED RESOURCE

Whitepaper cover with cartoon image of female wheel chair user talking to a man wearing a cap, with another man lifting a message bubble onto a phone screen

(Image credit: ServiceNow)

Same cyberthreat, different story

How security, risk, and technology asset management teams collaborate to easily manage vulnerabilities

DOWNLOAD FOR FREE

LastPass infamously came under fire for its comms response last year in the wake of a seemingly never-ending series of incidents. 

An initial cyber attack disclosure in August last year continually escalated in severity until a final report in late February 2023 revealed that the company had suffered a series of incidents that placed user information at risk. 

The company’s response was heavily criticized by security industry stakeholders amid claims that it failed to appropriately inform users over the full extent of the breach. 

Last year, Block, the US-based payments firm behind CashApp, was also accused of woefully mishandling a data breach

Around 8.2 million customers were affected in a data breach after a former employee was found to have downloaded information on user payment activities. 

The company’s response to the incident prompted a class-action lawsuit in which complainants alleged that the response time and mitigation of the incident was poorly handled. 

Clear-cut communication in the wake of cyber incidents is critical to ensure that customers aren’t left in the dark preparing for the dreaded moment in which their data and company logo is placed on a shady online forum. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.