Mastodawn

Kevin Beaumont Mar 31, 2023

The Guardian (who are themselves working out of a pub still due to a ransomware attack in December 2022) are reporting #Capita (a major IT supplier) have a "IT incident", staff have been told to not use VPN, and they are working with pen and paper since this morning. Thread follows. https://www.theguardian.com/business/2023/mar/31/capita-it-systems-fail-cyber-attack-nhs-fears?CMP=share_btn_tw

Failed IT systems at Capita fuel fears of cyber-attack on crucial NHS provider

Staff unable to access computers and local authority phone lines knocked out as outsourcing giant investigates possible data breach

The Guardian

Kevin Beaumont Mar 31, 2023

I had forgot how big Capita are. It's like 492304932 different business units. Shodan Safari is like looking into the sun.

It looks like some of the plc centrally use Okta for authentication.. I hope they enabled Number Verification.

Kevin Beaumont Mar 31, 2023

The Times just filed a piece saying the #Capita outage is ongoing and hitting "every division" (only one source, not sure I buy it), with staff getting verbal 'round robin' updates. https://www.thetimes.co.uk/article/2a6270b8-cfbd-11ed-9a00-73fd2b90e22e?shareToken=1df09835bc32a38e9b8ae2b0e7556097

Capita hit by IT breakdown amid fears of cyberattack

Capita, one of the UK’s biggest outsourcers, is investigating an incident with its IT systems which has prevented staff from logging in.Employees at the company, which handles important government contracts including for the NHS, have been denied access since before 7am.They have been told in round robin phone messages “not to attempt access via VPN or submit password recovery requests”.

The Times

Kevin Beaumont Mar 31, 2023

The Times reporter is being verbally briefed as #Capita still don't have email (almost 10 hours in).

They're told: 'There appears to be no risk to personal data processed by the business. The outage seems to be is hitting Office365 programmes including Outlook, Excel and Teams rather than client systems...'

Kevin Beaumont Mar 31, 2023

Financial Times have a new article up about #Capita, saying two people familiar with the matter say cyber incident cannot be ruled out.

Curiously all the media articles about it this evening talk about the IT incident in the past tense - but it is still ongoing, it hasn't been resolved.
https://www.ft.com/content/00f9591f-e07a-4339-ba3e-413818602515

Capita hit by IT failure that left staff unable to access services

News, analysis and comment from the Financial Times, the worldʼs leading global business publication

Financial Times

Kevin Beaumont Apr 1, 2023

#Capita are still working to restore service.

Kevin Beaumont Apr 1, 2023

Verbal update from #Capita - they’re still restoring internal service, “there is no evidence that any data has been compromised."

They won’t discuss what is happening.

Kevin Beaumont Apr 2, 2023

#Capita has been in contact with people at the NCSC and NCA. Interesting an IT supplier would rather talk about a 3 day ongoing IT incident than mention the cyber word.

Kevin Beaumont Apr 2, 2023

Latest statement from #Capita - 3 days in they have restored their Office 365 access, and are now trying to restore their customer’s services. “Working in collaboration with our specialist technical partners, we have restored Capita colleague access to Microsoft Office 365 and we are making good progress restoring remaining client services in a secure and controlled manner.”

Kevin Beaumont Apr 2, 2023

The Times have a report up saying #Capita NHS services staff are working using WhatsApp and Google Drive, rather than approved Microsoft tooling.

Massively concerned by lack of transparency, going to start digging into this tomorrow with officials. https://www.thetimes.co.uk/article/capita-dogged-by-it-problem-for-three-days-wthl2zp5v

Capita dogged by IT problem for three days

An IT meltdown at Capita continued over the weekend, fuelling speculation of a cyberattack at a company that handles key public service contracts. Staff, incl

The Times

ʇᴉɯᴉl ɐɯǝɥɔs®Apr 3, 2023

#Capita finally admit they have a cybersecurity incident. No details about what is happening, it’s a regulatory notification. They had been privately briefing customers it wasn’t security related. https://www.londonstockexchange.com/news-article/CPI/statement-re-cyber-incident/15901425

London Stock Exchange | London Stock Exchange

null

Kevin Beaumont Apr 3, 2023

I am told various UK regulatory authorities are beginning to look into what has happened at #Capita as there is varying degrees of concern about different elements, e.g. disclosure to customers and ongoing data access.

Kevin Beaumont Apr 4, 2023

#Capita have changed their website frontpage to be a response to the cyber incident.

Kevin Beaumont Apr 8, 2023

#Capita are listed on Black Basta ransomware portal as a victim.

They posted various screenshots of access to personal data (e.g. passport scans), security vetting, nuclear BACS payment details, architecture diagrams, school reports etc - Capita customer data.

http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/?id=CAPITA

Kevin Beaumont Apr 8, 2023

#Capita's breach is also being sold on the portal, you can pay cryptocurrency for "Remote exclusive server with data of "CAPITA""

Black Basta focus on data exfiltration, traditionally using rclone. Prior reading: https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf

Kevin Beaumont Apr 9, 2023

I took a look at Capita’s ransomware incident, and look at what they’ve told the media and customers versus the reality of what has happened.

Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.

https://doublepulsar.com/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283

Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.

There’s an interesting piece in The Times today, where the CEO of Capita declares Capita’s response to the hack “will go down as a case history for how to deal with a sophisticated cyberattack”…

DoublePulsar

Kevin Beaumont Apr 13, 2023

Kevin Beaumont Apr 15, 2023

The Times website has a report this evening about the Black Basta breach of Capita. Capita still deny there is any evidence of data being compromised.. in a story that even includes details of Capita’s office floor plans leaking. #ransomware

https://t.co/3gSWyKp3bE

Capita faces deepening hack crisis

The attack by Russian cybercriminals on one of the UK’s biggest outsourcing companies, Capita, appears far more serious than the company has admitted. Persona

The Sunday Times

Kevin Beaumont Apr 17, 2023

#Capita are apparently now known as the "BBC license fee firm"... which might explain why BBC News haven't even mentioned the initial outage I guess. https://www.bloomberg.com/news/articles/2023-04-16/data-feared-stolen-at-bbc-licence-fee-firm-amid-hack-telegraph

Data Feared Stolen at BBC Licence Fee Firm Amid Hack: Telegraph

Capita, one of Britain’s biggest outsourcing companies, is investigating whether sensitive data had been stolen from its systems after a Russian-speaking cyber gang posted a cache of documents online, the Telegraph reported.

Bloomberg

Kevin Beaumont Apr 17, 2023

The Record reports #Capita is "...understood to be working to establish whether the data is authentic or if the extortion group had cobbled it together from other sources."

Maybe the source is cobbled together from Capita Business Services... or Capita Nuclear. Or one of the other Capita business units in the #BlackBasta portal. https://therecord.media/capita-investigates-authenticity-data-leak

Capita investigates authenticity of ransomware gang leaks

The UK outsourcing company has not been able to confirm the source of the information released by a ransomware group, a spokesperson told The Record.

Kevin Beaumont Apr 19, 2023

Capita data breach has made BBC News. Capita still pretending it isn't happening.

Kevin Beaumont Apr 20, 2023

After two weeks of telling press and customers privately my blog was inaccurate, suggesting the leaked data was public domain, denying it was ransomware etc.. #Capita have now admitted a data breach.

They’re still not giving full story or admitting Black Basta, more to come on how to defend your org.

Kevin Beaumont Apr 20, 2023

Btw, Capita handle all security clearance - DV and SC - for sensitive jobs and data access. Not great they got owned by Russian hackers and then tried to ineptly cover it up.

Kevin Beaumont Apr 20, 2023

I've written a post on the #Capita ransomware breach, which potentially has national security implications in the UK.

- Includes technical steps orgs can take to protect themselves from a similar situation

- A call to arms on a change in how organisations handle ransomware incidents, makes case for transparency

https://doublepulsar.com/russian-hackers-exfiltrated-data-from-capita-over-a-week-before-outage-b67453e0bd59

Russian hackers exfiltrated data from from Capita over a week before outage

Capita have finally admitted a data breach, but still do not think they need to disclose key details of the incident to customers, regulators, impacted parties and investors. So in this piece we…

DoublePulsar

Kevin Beaumont Apr 21, 2023

The ICO in the UK have issued a statement about #Capita incident. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/ico-statement-on-capita-incident/

ICO statement on Capita incident

Capita has reported an incident to us and we are assessing the information provided. Other organisations who are affected should also consider their position and report data breaches where necessary.

Kevin Beaumont Apr 23, 2023

It's a month since Russian hackers first got into #Capita, on March 22nd.

Black Basta also list Capita as CAPITA_2, just noticed - two listings.

Kevin Beaumont Apr 24, 2023

Really interesting piece in The Times, where Capita claim that they informed clients they were hacked at 11am on Friday 31st March (the first day) and kept them briefed.

Anybody agree or disagree this was true? https://www.thetimes.co.uk/article/silence-is-deafening-after-cyberattack-on-capita-dgns935gz

Silence is deafening after cyberattack on Capita

Error messages flashed up as staff at Capita tried to log into their accounts on Friday, March 31. Frustrated workers were advised not to submit password reset requests to swamped technology teams as the outsourcer got to grips with what was going on. In a preliminary statement that morning, dictat

The Times

Kevin Beaumont May 1, 2023

BBC report on the Pension Regulator concerns about the data breach at #Capita.

Capita administer pensions for around 4 million people. https://www.bbc.co.uk/news/business-65443841

Capita: Watchdog warns pension funds over data after hack

The Pensions Regulator has told hundreds of funds to check details of customers after a data leak.

BBC News

Kevin Beaumont May 1, 2023

The FT also have a story on it, where Capita refuse to confirm or deny the Black Basta thing. Super crazy as they definitely know what happened. https://www.ft.com/content/c4383788-e27b-48ea-bd72-044c01841926

Capita hack prompts watchdog to warn pension funds over data

News, analysis and comment from the Financial Times, the worldʼs leading global business publication

Financial Times

Kevin Beaumont May 3, 2023

#Capita were still listed unindexed on Black Basta's portal, so I entered a chat and asked Black Basta if they hacked Capita.

Black Basta erased the chat history, and removed CAPITA and CAPITA_2 from their portal just now. Previously, Capita declined to comment about communicating with Black Basta to @BleepingComputer

Kevin Beaumont May 3, 2023

The Financial Conduct Authority has written to Capita’s customers, reminding them of their responsibilities when it comes to data breach at Capita. https://www.ft.com/content/9a6c1e80-6302-4749-8841-3c5971d5d1cd

FCA contacts Capita’s clients over cyber attack

News, analysis and comment from the Financial Times, the worldʼs leading global business publication

Financial Times

NotADuck May 3, 2023

@GossiTheDog @BleepingComputer so do you believe they were lying, or that capita has paid them?

Interpipes 💙May 1, 2023

@GossiTheDog pretty terrible journalisming by the FT if they don’t just out and say “However, the company has been listed as a victim on the victim portal of a known ransomware gang” to frame the refusal to comment

OSPF110 ☕Apr 24, 2023

@GossiTheDog I know someone who works at capita, it's been hard to get info from them as they aren't a direct friend so had to go through someone else, but from what they've said on the morning it happened they was on the phone to IT support for 3 hours as they thought the issue was them, gave up after no answer, and was pretty much given they day off. From what they've told me I think they first heard of the breach when I asked them if they knew what was going on.

OSPF110 ☕Apr 24, 2023

@GossiTheDog although I know they aren't actually a client and internal comms could be different to client comms.

JJTurner Apr 24, 2023

@GossiTheDog sending a briefing note is one thing, the briefing note saying Ransomware is another.

Astrid Apr 20, 2023

@GossiTheDog the first thing that comes to my mind here is SIMS. I think they have a cloud offering. If that is pwned, that is BIG and puts childrens lives in genuine danger

Jernej Simončič �Apr 20, 2023

@GossiTheDog "from from" :)

Jonathan Apr 20, 2023

@GossiTheDog they what now

Mister Prickles 🦔May 30, 2023

This isn’t the case. #Capita handle BPSS clearances, but SC and DV are handled by UKSV, part of the Cabinet Office.

You might want to update your Medium post.

Julie moved to @[email protected]Apr 19, 2023

@GossiTheDog Wow, that certainly is a new take on "there is no evidence to indicate" weasel wording.

blan©k.Apr 19, 2023

@GossiTheDog thiiiiiis is why i don't have a smart meter

@GossiTheDog update from Capita

source: https://www.proactiveinvestors.co.uk/LON:CPI/Capita-PLC/rns/1300585

Proactive - Capita PLC (LSE:CPI) | RNS | Capita plc - Statement re update on Cyber Incident - Companies

Capita plc– Update on Cyber incident. On 3 April 2023, Capita plc announced that it had experienced a cyber incident which primarily impacted access to...

Proactiveinvestors UK

That Bloomberg article requires registration…

CyberSecMan Apr 17, 2023

@GossiTheDog They are too busy promoting their interview with Elon Musk to focus on real tech news

Focaccio at CupOfTea Apr 17, 2023

@GossiTheDog they're not nicknamed Crapita for nothing...

Stumpy Apr 18, 2023

@GossiTheDog IIRC, Capita won the contract to maintain the Criminal Records Office IT infra a few years ago. The ACRO service (website is still down) is owned/run by the Association of Chief Police Officers - I don't even want to think about the sensitivity of the data held by ACPO (let alone that which is actually in the CRO databases)

OSPF110 ☕Apr 13, 2023

Reinhilde Bjornsdottir (she)Apr 13, 2023

@GossiTheDog pahahahaha

Simonoid Apr 13, 2023

Ben Apr 13, 2023

@GossiTheDog Absence of evidence is evidence of absence. And an ignorant claim of absence of evidence is almost… yeah, whatever… as if anyone cared anyway…

Phil Randal Apr 9, 2023

@GossiTheDog and they still wonder why their customers' nickname for them Is Crapita

@GossiTheDog I wonder if they will allow people to buy specific records (specifically their own)? That might help out with their customer service - cut out the middle man and get it the data you need direct from blackbasta rather than waiting for capita to deliver !

@GossiTheDog ah, so the entire school system in this country

great

🖖Apr 3, 2023

@GossiTheDog hashtag: crapita

JJTurner Apr 3, 2023

@GossiTheDog well let me give you some background...
NDA
NDA
Official secrets..
NDA
NDA

not sure what happened there.....