IT outsourcer Capita has admitted its “cyber incident” resulted in a data breach, with “around 4%” of its server estate impacted.
It said “there is currently some evidence of limited data exfiltration” and that the data “might include” customer, supplier, or colleague data.
The announcement is the most transparent account of the incident, the details of which have been speculated for weeks.
Capita said that the “cyber incident” mainly affected staff access to Microsoft 365 products, but this access has now been restored.
The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted,” it said in a regulatory notice today.
Capita said investigations have shown that the intrusion began on 22 March and was “interrupted” by the company on 31 March.
That day, Capita said it was experiencing “an IT issue” but it wasn’t until 3 April that it described it as a “cyber incident”.
RELATED RESOURCE
Modernising identity for a secure, agile hybrid workforce
Pave the way towards a modern, secure, efficient, and sustainable hybrid workplace
Ransomware group Black Basta claimed responsibility for the attack, posting a number of documents online, but Capita has still not named the group in public-facing communications.
Earlier this week, Capita emailed shareholders explaining that they were still investigating whether the leak was genuine and if the files actually came from Capita, suggesting they could have come from other sources or the public domain.
The files included in the leak were sensitive in nature, such as passport scans, job applications, building floorplans, documents marked ‘confidential’, and files related to “Capita Nuclear”.
Capita’s client list includes major organizations in the UK including mobile operators O2 - the call centers of which experienced outages - and Vodafone; the NHS; various government departments such as the Department for Work and Pensions; plus the British Army and Royal Navy, among others.
According to industry expert Kevin Beaumont, threat intelligence data, which does not appear to have been made public, indicated earlier this week that Capita’s endpoints were found in their monitoring telemetry for Qakbot malware over a week prior to Capita’s announcement of an IT incident.
“In English, Capita had hackers inside for weeks,” he said.
If true, the data would confirm Capita's admission that the intrusion began in March.
Black Basta take a week or two to do data exfil before attempting to encrypt. Capita attempting to talk about just the final stage is a huge gamble that could cost them up to 4% of their total global turnover, and be the textbook example of how not to do this. Ethically poor.April 16, 2023
Although Black Basta is a known ransomware group, there is currently no indication that the incident involved the group’s encryptor.
If operating under a pure extortion model, the attack follows several in recent weeks from known ransomware gangs opting to avoid using encryptors in their attacks.
ALPHV’s attack on Western Digital appears to be a pure extortion incident, as does the myriad attacks from Cl0p abusing the GoAnywhere MFT vulnerability back in February and throughout March.
Black Basta is considered a sophisticated threat actor and usually operates using double extortion tactics.
First discovered in 2022, according to Kroll, it uses a range of unique tactics to conduct attacks to steal data and infect systems with its ransomware payload.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
300 days under the radar: How Volt Typhoon eluded detection in the US electric grid for nearly a yearAnalysis Lengthy OT lifespans give attackers time to penetrate networks underpinning critical infrastructure and plan future disruption
-
The business value of Zscaler Data ProtectionWhitepaper Understand how this tool minimizes the risks related to data loss and other security events
-
Capita plans £100 million in cost cuts as it continues to grapple with 2023 cyber attackNews Capita plans a series of cost cutting measures as it grapples with the aftermath of a disastrous 2023 cyber attack
-
Why your business needs zero trustWhitepaper How zero trust can right the wrongs of legacy security architecture
-
Definitive guide to ransomware 2023Whitepaper A guide to help rethink your defence against ransomware threats
-
Why Fulham FC’s geography makes running IT so challengingCase Study Fending off cyber criminals and keeping equipment updated on match days is more difficult than you might think
-
Capita handed £50m London police contract weeks after losing pension dataNews The outsourcer will provide digital fraud reporting services after its cyber incident disclosure drew criticism
-
Hardware security and confidential computing in server platformswhitepaper Computing security is central to IT infrastructure transformation
