The fall-out from the Capita cyberattack continues, with 90 organisations having reported data breaches relating to two security incidents at the outsourcing giant.

More fallout from last month’s cyberattack on Capita. (Photo by T. Schneider/Shutterstock)

Data watchdog the Information Commissioner’s Office (ICO) says it has received “approximately” 90 reports about potential breaches relating to Capita, which is one of the largest suppliers to UK government departments and also holds numerous contracts in the private sector. The reports relate to the cyberattack in March, as well as an unsecured database which was uncovered earlier this month.

Up to 90 companies report breaches due to Capita cyberattack says ICO

The ICO told Tech Monitor it is aware of two cyber events involving the company and that it is “receiving a large number of reports from organisations directly affected by these incidents,” and that it is “currently making enquiries”.

Described as a “cyber incident” by Capita, the March attack left staff locked out of the company’s Microsoft’s Office 365 Productivity suite. Having initially said no data was accessed during the breach, Capita has since admitted some data was left exposed to the hackers. Ransomware gang Black Basta has since claimed responsibility for the breach by posting details of the company on its victim blog. It is not known whether a ransom has been demanded or paid, but Capita said it is likely to incur costs of £20m following the incident. 

It was subsequently revealed that an AWS-hosted cloud storage bucket containing data from Capita clients had been available online since 2016, with no password protection. The trove of data contained approximately 3,000 files making up 655 gigabytes of data. The bucket has since been secured. 

The ICO has urged any Capita customers that fear their data has been exposed to contact it immediately.

The impact of the Capita security incidents

The specific number of companies affected by the breach remains unclear. Capita’s public sector customers include the Ministry of Defence, and the NHS, while in the private sector it serves organisations including the Royal Bank of Scotland and telecoms networks O2 and Vodafone. Capita has 50,000 employees and holds more than £8bn in UK government contracts. 

Several local councils in the UK have been affected by the attack. Barnet, Barking and Dagenham, Lambeth and South Oxfordshire all highlighted issues caused by the cyber incident. Since news of the unsecured AWS bucket came to light, local authorities including Colchester and Coventry city councils have revealed their data may be impacted.

The Capita cyberattack itself may have exposed data from as many as 350 UK pension funds. The Universities Superannuation Scheme (USS), Britain’s largest pension fund, says personal information of around 470,000 active, deferred and retired members may have been accessed when hackers breached Capita’s servers. The USS manages $103bn in assets.

Private sector companies Diageo, which owns drinks brands including Guinness, Smirnoff and Captain Morgan, and Marks and Spencer, have also contacted pension fund users to warn that their data is likely to have been exposed during the breach.

Capita’s sprawling security breach may turn out to be one of the best examples of the risk insecure digital supply chains pose to customers, explains Jamie Akhtar, CEO and co-founder at security company CyberSmart.

“If you’re part of a supply chain, cybercriminals will try to target you sooner or later – the opportunity to cause disruption or steal important data is too good to pass up,” he said. Akhtar urges businesses to use this incident as a reminder to think about the risks to their own supply chains. 

Read more: Tesla data breach? Insider ‘leaks’ 100GB of information