Capita’s recent cyber incident has highlighted a long-running trend in which businesses have failed to adequately inform customers over the extent of a breach.
The IT outsourcing giant, which provides services to a range of clients including the UK government, revealed in March that it had suffered a “cyber incident” that severely disrupted internal IT services.
However, the firm said at the time that there was “no evidence” that any data had been compromised in the incident as it sought to allay customer fears over a potential domino-effect breach unfolding.
While this may have alleviated concerns in the first instance, the company’s response thereafter highlights a continued trend of businesses failing to fully inform affected customers over the disastrous nature of a breach.
Last month, the company revealed that there was “some evidence of limited data exfiltration” and that compromised data “might include” customer, supplier, and even staff data.
This announcement, which came weeks after the initial disclosure of the incident, has now been followed by the revelation that client pension data was likely to have been compromised during the cyber incident.
A report from the Financial Times on 4 May revealed that Capita has informed affected clients of the situation and that it is still investigating the scale of the breach.
Capita told Reuters that it is “working closely with specialist advisers and forensic experts” to “provide assurance around any potential customer, suppliers, or colleague data exfiltration”.
Capita’s botched comms could harm customer confidence
While Capita now appears to have a limited handle on things and is communicating with affected clients, the situation bears concerning similarities to several high-profile data breaches in recent months - a surprising number of which were handled poorly from a comms perspective.
Same cyberthreat, different story
How security, risk, and technology asset management teams collaborate to easily manage vulnerabilities
LastPass infamously came under fire for its comms response last year in the wake of a seemingly never-ending series of incidents.
An initial cyber attack disclosure in August last year continually escalated in severity until a final report in late February 2023 revealed that the company had suffered a series of incidents that placed user information at risk.
The company’s response was heavily criticized by security industry stakeholders amid claims that it failed to appropriately inform users over the full extent of the breach.
Last year, Block, the US-based payments firm behind CashApp, was also accused of woefully mishandling a data breach.
Around 8.2 million customers were affected in a data breach after a former employee was found to have downloaded information on user payment activities.
The company’s response to the incident prompted a class-action lawsuit in which complainants alleged that the response time and mitigation of the incident was poorly handled.
Clear-cut communication in the wake of cyber incidents is critical to ensure that customers aren’t left in the dark preparing for the dreaded moment in which their data and company logo is placed on a shady online forum.
