Kevin BeaumontFriday evening news drop: USS lecturers’ pension fund may have had their personal details stolen during the recent cyberattack on the outsourcing firm #Capita. https://www.uss.co.uk/news-and-views/latest-news/2023/05/05122023_important-information-about-capitas-cyber-incident
Important information about Capita’s cyber incident
Capita recently reported a cyber incident involving hackers targeting some of its computer servers – potentially impacting several of the cross-sector businesses it serves. We use Capita’s technology platform (Hartlink) to support our in-house pension administration processes and have been liaising closely with the company over the course of its forensic investigations.
By ‘may have been exfiltrated’ in that scenario, Capita mean ‘the attacker definitely rcloned the entire server to a VPS provider’, just FYI to pension companies.
The Telegraph reporting that, aside from USS, around 350 other pension providers are impacted by hack of Capita, with millions of pension holders requiring notification - they call it the largest hack in British history. https://www.telegraph.co.uk/business/2023/05/12/capita-hackers-steal-personal-data-350-funds-hack/
One month ago Capita’s CEO claimed their response to the attack would “go down as a case history for how to deal with a sophisticated cyber attack” - while denying any data exfiltration, and blaming the incident on a single staff member clicking a link (that bit was behind a Times paywall).
I suspect Capita’s board should be asking if somebody opening a file is the real cause of the issue - or if it’s a cascading failure to manage properly and transparently from the top down.
USS have today started notifying just under half a million people that #Capita lost their data to Black Basta. USS didn’t include nation insurance numbers taken.. which enables fraud.
Due to legal requirements in the UK, every pension holder in every impacted pension scheme will need to be notified individually - according to media reports, this is up to 350 pension schemes. So this may become the biggest data breach disclosure ever in the UK.
I haven’t pressed publish on this yet, partly as I want to see what Capita disclose. It’s not just pensions.
Colchester City Council has been informed they have a data breach by #Capita. Capita are telling them the data has now been “secured”. Colchester City Council say they have “extreme disappointment with Capita”. https://www.colchester.gov.uk/info/cbc-article/?id=KA-04376
Update: it turns out this was related to the S3 bucket incident.
Interesting detail in the Colchester piece about #Capita - as far as I know, no other local authorities have yet told the ICO, which they are supposed to do within 72 hours.
Btw, if anybody wonders if I’m human and feel sorry for the Capita cybersecurity staff dealing with this - absolutely. I feel awful for them. I’ve always said the technical containment and investigation sounds good.
I suspect there have been people there tearing their hair out. I doubt the decisions to pretend leaked data was public domain, not admit ransomware, say 0.1% of server estate etc came from the immediate responding teams.
Diageo pension fund says their data has been compromised in #Capita breach.
“During the course of April, Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it. However, on 3 May, Capita told us that it is likely a file containing your data had been compromised.”
The Financial Times reports #Capita are saying it will take them through to the end of May to notify pension funds about breached data - over 2 months since the hack began. https://www.ft.com/content/39b71f11-6628-476f-9876-59697be25fb9
More from FT on the #Capita Black Basta ransomware fall out, questions how much insurance will cover. https://www.ft.com/content/ff150b65-8dc6-48c8-b2e4-6b8fbee4ea03
Lots of new details in Times piece about the cybersecurity woes engulfing Capita. Features my Mastodon thread about the files on #Capita’s own website.
New victims include staff at PWC, Unilever and The Cabinet Office. 11 councils are also investigating the open bucket issue.
https://www.thetimes.co.uk/article/0513205a-f718-11ed-a712-8f47f8e830cf?shareToken=e595f233220e2a4532500771d0175ea9
Non-paywall version if you hit it: https://archive.ph/2023.05.20-234130/https://www.thetimes.co.uk/article/capita-under-fire-after-confidential-files-published-online-7cjh2jj59
UK’s largest pension insurer, Rothesay, has been caught in #Capita breach https://www.rothesay.com/news/newsroom/statement-on-capita-s-cyber-incident/
If you’re wondering why specifically pension companies are disclosing, the Pension Regulator has reminded both them and Capita that there are clear and enforceable legal obligations for pensions.
The #Capita breach involves other data, including UK gov data, which has not been disclosed.
USS customer notification about Capita breach is categorical that pension data was exfiltrated - previous language was around data potentially being accessed https://infosec.exchange/@spzb/110414033883093993
Simon Briggs (@[email protected])
Attached: 2 images Email just received from #USS about #Capita data breach. Fyi @[email protected]
USS pension update is on their website now. Pension data was definitely stolen via #Capita. https://www.uss.co.uk/news-and-views/latest-news/2023/05/05252023_important-update-on-capitas-cyber-incident
The ICO issued an update on #Capita just now, acknowledging the ransomware incident and the open bucket incident.
The BBC report nearly a hundred companies have contacted the ICO so far about #Capita. https://www.bbc.co.uk/news/technology-65746518
What Security Watchdog (owned by #Capita - they're currently mid sale to another company) do. I may have added the final line.
NHS England say they had data breach via #Capita of medical records of two active patients and two deceased patients https://www.england.nhs.uk/2023/06/nhs-england-statement-on-capita-cyber-incident/
Several months later, #Capita have told teachers in Sheffield they may have had a “potential” data breach. https://www.thestar.co.uk/taxonomy/term/2438/taxonomy/term/164/warning-as-sheffield-schools-hit-by-data-leak-after-hackers-target-capita-4177037
Long time readers of this very thread may remember I pointed out the Sheffield teacher breach over 2 months ago. https://doublepulsar.com/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283
Legal proceedings initiated against Capita over data breach. https://www.professionalpensions.com/news/4117931/legal-proceedings-initiated-capita-breach
Miners Pension Fund members have data stolen in #Capita hack - members informed almost 3 months later. https://www.thenorthernecho.co.uk/news/23605752.miners-pension-fund-members-data-stolen-capital-hack/
Remember the #Capita Black Basta ransomware incident from March? It’s still playing out months later - one of the orgs say “We remain concerned at the level of information provided to USS by Capita”
https://www.ucu.org.uk/article/13020/Update-on-USS-Capita-data-breach
Four months in, Capita have finally admitted to its own staff that their data was taken.
Auditors PWC are amongst the many other victims. They say Capita have been unable to provide “final, complete and accurate” information.
In other news, Capita and PWC have just won the contract to provide the UK’s cyber incident reporting platform. https://www.ft.com/content/52130b83-6ad7-474c-aaf7-88a549dc85e3
The Times reports #Capita staff saying Capita “played down” the ransomware/extortion during internal meetings and reported that executives said that “attacks happened to all organisations” and “it is just a small breach”. https://www.thetimes.co.uk/article/capita-admits-hackers-also-stole-staffs-personal-details-jjkw3r7rs
Capita’s CEO has announced he is retiring. Capita say he had stayed on to deal with the ransomware/extortion incident.
The Times ran the headline “Capita boss heads for exit with turnaround finished” attached to a puff piece, so I just checked on how #Capita are doing. Good that the turnaround is finished. A story in 4 pictures.
In #Capita’s financial results they say “minimal impact from cyber incident”, in a call with investors they described it as a non-event.
Good luck to Capita’s clients. 🫡
Capita's share price is down 18% today. Or as Capita call it, 0.1% effected by a Happy Little Non-Event.
Just over 2000 people are taking legal action against #Capita, including some of its own employees.
Note this report contains factual inaccuracies as it relies on Capita’s version of events.
https://www.theregister.com/2023/09/13/capita_class_action_2000_claimants/
30k school pupil records were exfiltrated as part of the Capita hack, but the Department of Education doesn’t appear to have told parents. https://schoolsweek.co.uk/hackers-steal-pupils-details-from-capita/
4000% increase in pension scheme breaches reported to the ICO in the UK this year.
Capita never disclosed the number of pension schemes impacted their end but I’ve heard it was… a lot.
https://www.pensionsage.com/pa/UK-pension-schemes-record-4000-pc-rise-in-cyber-security-breaches.php
Just over 5k people are suing Capita at the High Court over their ransomware data breach. Discovery on this one should be incredible.
Capita are saying, regarding their court case, that there is no evidence that data stolen was publicly available. They may want to tell the people who were directly impacted. https://www.thetimes.co.uk/article/how-hackers-are-recruiting-on-the-dark-web-mpl2hvsss
It’s been almost a year since the #Capita ransomware incident began. Here’s how the new CEO describes it in their yearly update.
There’s now some careful rewording around data exfiltration and “recovery activities” of said data.
The exact amount they book for incident response and recovery is £25.3m, and they do not mention if insurance will cover. Overall the business has booked a £106.6m loss for the year.
#Capita cut the pension business out of their operational KPIs, citing the impact of the ransomware incident.
Deejacker@GossiTheDog Unfortunately the investors are probably quite used to this type of dive, certainly tanked several times since I worked there.