Capita Data Breach: The Unfortunate Aftermath

It’s been a couple of months full of breaches. Big companies have disclosed numerous incidents so far, including British outsourcing services provider – Capita. Back then, it was pretty vague in terms of how impactful the attack was. Now, more light on the matter is shed.

When the company disclosed the breach, it stated that there was no indication any data belonging to its customers, suppliers, or staff got exposed. Well, that’s not the case in its recent statement.

Yes, the attack was impactful. The company released an update on the previously executed cyber-incident, now admitting that the threat actors did indeed exfiltrate data from its systems. Here’s everything you need to know.

Capita Breach: Correction! Data Was Exfiltrated

Alright! So, this is how it went. Around 3 weeks ago (March 31st, 2023), Capita disclosed a cyberattack that disrupted its internal Microsoft Office 365 applications.

When the company released a statement to shed more light on the matter, it didn’t provide precise information about what happened in details.

In addition, Capita did state that there’s no evidence that the breach affected any of its customers’ data. But now, everything is out in the open.

Apparently, the breach took place on March 22, 2023. However, the company didn’t realize the incident until the breach 9 days later. The full statement is presented below:

“Since the incident, Capita and its technical partners have restored Capita colleagues’ access to Microsoft Office 365.

The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted.

In parallel with the services restoration activity, Capita has continued to work closely and at speed with specialist advisers and forensic experts in investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration.

From our investigations to date, it appears that the incident arose following initial unauthorised access on or around 22 March and was interrupted by Capita on 31 March.

As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate.

There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.“

It gets worse. Usually, data harvested in data breaches result in future attacks. And that’s exactly the case. No, it’s upcoming phishing attacks – it’s ransomware.

Black Basta In the Spotlight

The data ended up being posted on Black Basta’s extortion portal on the dark web. The malicious group is selling what it has harvested to any interested entity if Capita fails to meet its ransomware demands.

According to Black Basta’s post, the data for sale includes personal bank physical addresses, passport scans, account details, and other sensitive information.

We have to note that the statement doesn’t provide any information about a ransomware attempt or that Black Basta is behind it.

This means that the validity of these claims remains unconfirmed. However, Black Basta removed the post regarding Capita’s data from its extortion site.

What does that mean? Well, when this occurs, it usually indicates that the company has either paid the demanded ransom or negotiations are in place.

Maybe it’s false, and Black Basta decided to call it quits? We’ll know when additional information is provided by Capita.

The Capita Breach Update – Black Basta Strikes

Black Basta has been targeting companies all over the world, succeeding in almost every single attack it performs.

Capita is the latest victim of the infamous group and we still don’t have all the details about what the attack has impacted.

If anything comes up in the upcoming days, we’ll make sure to update the article and provide you with everything there is to the incident.