Outsourcer Capita has told some pension provider clients that data it processed on their behalf was compromised in the March 2023 Black Basta ransomware attack on its systems.
According to the Financial Times, which was first to break the story, Capita wrote to trustees yesterday (Thursday 4 May) to inform them that having examined the impacted servers, it had identified that pensions data was “likely to have been exfiltrated”.
In the message, a copy of which was leaked to the newspaper, Capita told those contacted that this did not necessarily mean their data had been stolen, rather that their data was known to be hosted on one of the affected servers.
Capita said it expected to complete its investigations in the next seven days, but that there was no evidence any of the data had appeared on the dark web. It has supposedly rebuilt its server infrastructure from the ground up to avoid a repeat of the incident.
In a statement, Capita said: “Capita is working closely with specialist advisers and forensic experts in investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration.”
“Capita continues to work through its forensic investigations and inform any customers, suppliers or colleagues that are impacted in a timely manner,” the firm’s spokesperson said.
The latest twist in Capita’s unfortunate tale comes amid mounting criticism from customers and security experts in regard to how the outsourcer – which runs IT operations across a vast swathe of the UK’s public sector – responded to the incident.
In its initial statement on the matter, Capita said: “The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.” However, it is now abundantly clear this was not the case.
According to the Financial Times, pension clients have been “struggling” to get Capita to share any information with them more than a month after the cyber attack came to light, and are increasingly concerned their pension schemes have been affected.
Both The Pensions Regulator and Financial Conduct Authority have been in touch with Capita clients to tell them to establish whether or not they have been affected, and to report to the Information Commissioner’s Office (ICO) if so.
The ICO has additionally confirmed it has received reports of downstream data breaches arising from the Capita incident.
Capita has also been attacked for its disclosure management. Writing in early April, independent security researcher Kevin Beaumont said the outsourcer had been too slow to publicly respond to the attack and had failed to be transparent with its customers, waiting a number of days before confirming the 31 March outage initially said to be an IT incident was in fact a cyber attack.
It waited longer still to reveal it was dealing with a ransomware attack, and did not confirm this was the case until several days after Black Basta had begun hawking its customers’ data on the dark web.