A couple of weeks ago, Joel Benjamin discovered that he may have been unwittingly dragged into a criminal conspiracy. A communications officer for the Carbon Tracker Initiative, Benjamin was alerted to the unsettling news that several foreign bank accounts had been opened using his personal details, which had apparently been obtained by hackers. Their motivation for opening the accounts remains unknown, although previous cases of this ilk have seen cybercriminal gangs use falsely-registered accounts for either money laundering purposes or to burrow more deeply into an individual’s finances. Though the hackers never got as far as accessing Benjamin’s current account and savings, he worries that that could have been their next step. “Obviously,” he says, with not a little understatement, “it creates a bit of stress.”

While he isn’t clear on the hackers’ ultimate goals, Benjamin’s more confident about how they obtained his personal details. Benjamin was alerted to the breach by the credit checking service Experian, part of a service provided by the Universities Superannuation Scheme — one of the largest private pension schemes in the UK — after it became concerned that its members’ data may have been stolen during an attack on one of its third-party partners. Benjamin’s details were in USS’s system thanks to a short stint as a research assistant at Goldsmiths University in London — a job that, though it lasted less than a year, was long enough to entitle him to a small pension.

All of these details would have been enough to make Benjamin uneasy. What made him furious, however, was that the release of his details came as part of a much larger breach of Capita, a company that he’d previously described in The Independent as the ‘Vampire Squid of business process outsourcing.’ As it turned out, the company, a major provider of IT services for a host of educational institutions, pension schemes and public sector organisations, had been subject to a major cyberattack in March. Within weeks, around 90 organisations reported that personal information had been stolen as a result, including those belonging to USS. 

For Benjamin, news of the breach vindicated his long-time perception of Capita as an unaccountable behemoth in UK public sector outsourcing. Others, meanwhile, quake at the cyberattack’s implications. After all, Capita has immense reach across the UK’s public sector, doing everything from designing bespoke IT for the British Army to handling healthcare data for the NHS.

It’s also one of just a handful of such companies capable of providing such IT support, clinging to the hull of the ship of state through fair weather and foul for several decades now. Has this situation inadvertently created a new set of cybersecurity vulnerabilities for the UK’s government services? And if so, why do companies like Capita continue to be awarded public service contracts worth millions of pounds? 

Capita logo
UK IT company Capita’s reputation for effective cybersecurity was severely dented by a major breach earlier this year. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

Capita’s cybersecurity crisis

Capita is one of Europe’s largest providers of outsourcing services. First formed in 1984 as a division of the non-profit Chartered Institute of Public Finance and Accountancy, Capita was spun off as an independent business three years later. At that point, it had just 33 employees. Now, Capita employs more than 50,000 members of staff, having become a major outsourcing supplier for both the private sector and public services in the UK.

Then came the firm’s hijacking by hackers earlier this year. The alarm bells first started ringing at Capita towards the end of March, when the firm’s computer systems abruptly stopped working. Council phone lines went down, and workers — including in services of critical national infrastructure — resorted to using radios, pens, and paper to run key services.. In April, Capita confirmed that this abrupt outage had been caused by a breach, ultimately acknowledging that hackers had spent nine days inside its IT systems before they were identified. The firm initially denied that any data was stolen, but later admitted that customer information had, indeed, been compromised

It now appears that Black Basta, the Russian extortionists who claimed responsibility for the attack, had hacked the company’s Office 365 software and accessed the personal data of Capita staff and clients. Following the attack, the ransomware group reportedly put up for sale sensitive details — including bank account information, addresses, phone numbers, and passport photos — stolen from the IT giant. 

Some 90 organisations have since reported breaches of personal information held by Capita to Britain’s data watchdog, the Information Commissioner’s Office (ICO). The regulator’s investigation into the hack is ongoing. If it does judge that Capita failed to protect the personal data entrusted to it, ICO has the power to levy financial penalties on the public services provider. These fines can be harsh. In October 2020, ICO imposed a £20m penalty on British Airways after it ruled the airline had failed to protect customers’ personal data — a climbdown from the ICO’s initial threat of £183m, but still a record-breaking sum. 

Even without an ICO fine, the cyberattack against Capita has cost the firm dearly. Its latest estimate of the financial impact of the breach, announced alongside its interim financial results, estimated that associated costs ran between £20m and £25m, a substantial increase from the firm’s previous estimate of between £15m and £20m. This rise, according to Capita, represents the complexities of analysing the ‘exfiltrated’ data, as well as costs of recovery and remediation, as well as new investment to improve its cybersecurity for the future. Capita’s shares fell more than 12% in morning trading after the release of these interim financial results, which reported a pre-tax loss of £67.9m in the six months to the end of June. 

In addition to these financial woes, Capita might also be facing several class-action lawsuits. Barings Law, a solicitor in Manchester, announced that it had sent a Letter of Claim to Capita in June. As of late July, the firm claimed it had ‘signed up almost 1,000 clients’ to this class-action lawsuit — mostly holders of pensions administered by Capita. In August, Barings announced it was bringing another case against Capita, this time involving a data breach in the NHS. Speaking to Pulse, Adnan Malik, one of the solicitors at Barings Law, said the company had been “inundated” with calls from people affected by the breach, including multiple GPs. “Some of our clients fear that everything, including their personal medical history, could be at risk.”

At the end of July, Capita announced that its CEO Jon Lewis would step down by the end of 2023 to make way for Adolfo Hernandez, the former vice president for telecommunications at Amazon Web Services. The firm denied that Lewis was paying the price for Capita’s cybersecurity crisis — saying that he had, in fact, delayed his retirement to deal with the incident. 

Ultimately, Capita is standing firm. In the company’s earnings call, shared by Capita, Lewis said that the firm had been ‘extremely thorough’ in its efforts to investigate the breach and inform anyone affected. ‘In fact, the overwhelming feedback from both the U.K. government and commercial customers has been one of thanks, appreciation, and a deeply positive impression of how we handled the incident. Government departments have collectively awarded us more than £1bn pounds in Total Contract Value (TCV) since the incident,’ said Lewis. ‘I should also share that we’ve been approached by a number of Whitehall departments executive teams, chairs CEOs to share learnings on how we manage the crisis.’

Too big to fail? 

Despite its highly-publicised cybersecurity woes, the UK’s public sector has indeed kept on investing in Capita. In May, Capita was selected as the ‘preferred bidder’ to deliver Functional Assessment Service (FAS) assessments in the Midlands and Wales for the Department for Work and Pensions (DWP), and in Northern Ireland for the Department for Communities (DfC). The two contracts are worth a combined £565m. In June, Capita announced that it had been awarded an additional £50m deal with the City of London Police. The contract, which runs from 2024 to 2029, will see Capita tasked with delivering customer contact and victim engagement services for the force’s new fraud reporting service. 

Why, then, does the public sector keep turning to Capita and other known quantities of the IT outsourcing landscape like Atos, Fujitsu and Capgemini? Part of it’s down to familiarity – on the part of ministers, who appreciate these companies as a known quantity, and among the firms themselves, who have grown used to jumping through the standard hoops involved in bidding for new public contracts. Additionally, explains the founder of cyber risk consultancy Parava Security Solutions Andy Watkin-Child, the contracts that result are often difficult to unwind from, and often overlap or exceed the electoral terms of many ministers, councillors and departmental heads.

“We’ve had decades of funding cuts, and a lot of the things which public bodies used to do in-house […] have now become for-profit services run by outsource companies which aren’t ultimately accountable to the public,” says Benjamin. Outsourcing, he continues, also has long-term implications for public services. “The whole institutional knowledge, built-up over decades, that’s lost when you outsource is very hard to replace.”

Can regulation alleviate these concerns and force our major public service providers to redouble their efforts on cybersecurity? The UK’s present legislation in this area remains somewhat lacking, argues Watkin-Child. The US and Europe are making bold steps on cyber-risk, which is now considered, by many, a national security problem. But the UK, argues Watkin-Child, risks being left behind. Firms like Capita are beholden to GDPR, for example, but that alone might not have much of an impact when it comes to the costly business of cybersecurity. GDPR violations carry a maximum fine of £17.5 million or 4% of annual global turnover — whichever is greater. 

For Benjamin, the kind of fine that might be levied by the ICO can’t truly account for the real-world disruption that cyber breaches can cause. There’s thousands of people, he says, who are now extremely worried about their personal data being sold to illicit traders. “It’s really hard to put a monetary value on that.”

Read more: What’s the NCA doing about cybercrime?