USS have today started notifying just under half a million people that #Capita lost their data to Black Basta. USS didn’t include nation insurance numbers taken.. which enables fraud.

Due to legal requirements in the UK, every pension holder in every impacted pension scheme will need to be notified individually - according to media reports, this is up to 350 pension schemes. So this may become the biggest data breach disclosure ever in the UK.

Colchester City Council has been informed they have a data breach by #Capita. Capita are telling them the data has now been “secured”. Colchester City Council say they have “extreme disappointment with Capita”. https://www.colchester.gov.uk/info/cbc-article/?id=KA-04376

Update: it turns out this was related to the S3 bucket incident.

Btw, if anybody wonders if I’m human and feel sorry for the Capita cybersecurity staff dealing with this - absolutely. I feel awful for them. I’ve always said the technical containment and investigation sounds good.

I suspect there have been people there tearing their hair out. I doubt the decisions to pretend leaked data was public domain, not admit ransomware, say 0.1% of server estate etc came from the immediate responding teams.

Diageo pension fund says their data has been compromised in #Capita breach.

“During the course of April, Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it. However, on 3 May, Capita told us that it is likely a file containing your data had been compromised.”

https://www.scotsman.com/news/crime/diageo-pension-fund-members-caught-up-in-russia-linked-capita-cyberattack-4143864

Lots of new details in Times piece about the cybersecurity woes engulfing Capita. Features my Mastodon thread about the files on #Capita’s own website.

New victims include staff at PWC, Unilever and The Cabinet Office. 11 councils are also investigating the open bucket issue.
https://www.thetimes.co.uk/article/0513205a-f718-11ed-a712-8f47f8e830cf?shareToken=e595f233220e2a4532500771d0175ea9

Non-paywall version if you hit it: https://archive.ph/2023.05.20-234130/https://www.thetimes.co.uk/article/capita-under-fire-after-confidential-files-published-online-7cjh2jj59

If you’re wondering why specifically pension companies are disclosing, the Pension Regulator has reminded both them and Capita that there are clear and enforceable legal obligations for pensions.

The #Capita breach involves other data, including UK gov data, which has not been disclosed.

Several months later, #Capita have told teachers in Sheffield they may have had a “potential” data breach. https://www.thestar.co.uk/taxonomy/term/2438/taxonomy/term/164/warning-as-sheffield-schools-hit-by-data-leak-after-hackers-target-capita-4177037

Long time readers of this very thread may remember I pointed out the Sheffield teacher breach over 2 months ago. https://doublepulsar.com/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283

Remember the #Capita Black Basta ransomware incident from March? It’s still playing out months later - one of the orgs say “We remain concerned at the level of information provided to USS by Capita”

https://www.ucu.org.uk/article/13020/Update-on-USS-Capita-data-breach

Four months in, Capita have finally admitted to its own staff that their data was taken.

Auditors PWC are amongst the many other victims. They say Capita have been unable to provide “final, complete and accurate” information.

In other news, Capita and PWC have just won the contract to provide the UK’s cyber incident reporting platform. https://www.ft.com/content/52130b83-6ad7-474c-aaf7-88a549dc85e3

In #Capita’s financial results they say “minimal impact from cyber incident”, in a call with investors they described it as a non-event.

Good luck to Capita’s clients. 🫡

Just over 2000 people are taking legal action against #Capita, including some of its own employees.

Note this report contains factual inaccuracies as it relies on Capita’s version of events.

https://www.theregister.com/2023/09/13/capita_class_action_2000_claimants/

4000% increase in pension scheme breaches reported to the ICO in the UK this year.

Capita never disclosed the number of pension schemes impacted their end but I’ve heard it was… a lot.
https://www.pensionsage.com/pa/UK-pension-schemes-record-4000-pc-rise-in-cyber-security-breaches.php

Just over 5k people are suing Capita at the High Court over their ransomware data breach. Discovery on this one should be incredible.

https://www.telegraph.co.uk/business/2024/01/14/thousands-pension-holders-sue-capita-russia-linked-hack/

Unpaywalled: https://archive.ph/2024.01.14-082938/https://www.telegraph.co.uk/business/2024/01/14/thousands-pension-holders-sue-capita-russia-linked-hack/

It’s been almost a year since the #Capita ransomware incident began. Here’s how the new CEO describes it in their yearly update.

There’s now some careful rewording around data exfiltration and “recovery activities” of said data.

The exact amount they book for incident response and recovery is £25.3m, and they do not mention if insurance will cover. Overall the business has booked a £106.6m loss for the year.

This thread is almost 1000 days old and getting a resurrection. #Capita have been fined £14m by the ICO over their ransomware incident.

Lots of big details in the fine, including over 1tb of data stolen (as detailed in this Mastodon thread at the time), confirmation of Qakbot and my blog etc.

Their SOC was wildly understaffed. It took attacker 4 hours to get domain admin due to poor security practices. Lots of learnings for large orgs.

Capita had the PII of 6 million people exfiltrated.. but aren’t exactly sure how many still.

Additionally, they already had a major security incident running and external IR in before the encryption - while this incident was running, the attacker stole a terabyte of data over several days. The cause? No containment. They didn’t contain when they knew the attacker was on the network.

#Capita