Capita finally admits breach affecting 4% of its servers

Capita logo appearing a smartphone
(Image credit: Getty Images)

IT outsourcer Capita has admitted its “cyber incident” resulted in a data breach, with “around 4%” of its server estate impacted.

It said “there is currently some evidence of limited data exfiltration” and that the data “might include” customer, supplier, or colleague data.

The announcement is the most transparent account of the incident, the details of which  have been speculated for weeks.

Capita said that the “cyber incident” mainly affected staff access to Microsoft 365 products, but this access has now been restored.

The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted,” it said in a regulatory notice today.

Capita said investigations have shown that the intrusion began on 22 March and was “interrupted” by the company on 31 March.

That day, Capita said it was experiencing “an IT issue” but it wasn’t until 3 April that it described it as a “cyber incident”.


Whitepaper cove with image of man staring out of shot wearing headphones in front of a laptop, with bookcase behind him

(Image credit: Okta)

Modernising identity for a secure, agile hybrid workforce

Pave the way towards a modern, secure, efficient, and sustainable hybrid workplace


Ransomware group Black Basta claimed responsibility for the attack, posting a number of documents online, but Capita has still not named the group in public-facing communications.

Earlier this week, Capita emailed shareholders explaining that they were still investigating whether the leak was genuine and if the files actually came from Capita, suggesting they could have come from other sources or the public domain.

The files included in the leak were sensitive in nature, such as passport scans, job applications, building floorplans, documents marked ‘confidential’, and files related to “Capita Nuclear”.

Capita’s client list includes major organizations in the UK including mobile operators O2 - the call centers of which experienced outages - and Vodafone; the NHS; various government departments such as the Department for Work and Pensions; plus the British Army and Royal Navy, among others.

According to industry expert Kevin Beaumont, threat intelligence data, which does not appear to have been made public, indicated earlier this week that Capita’s endpoints were found in their monitoring telemetry for Qakbot malware over a week prior to Capita’s announcement of an IT incident. 

“In English, Capita had hackers inside for weeks,” he said.

If true, the data would confirm Capita's admission that the intrusion began in March.

See more

Although Black Basta is a known ransomware group, there is currently no indication that the incident involved the group’s encryptor.

If operating under a pure extortion model, the attack follows several in recent weeks from known ransomware gangs opting to avoid using encryptors in their attacks.

ALPHV’s attack on Western Digital appears to be a pure extortion incident, as does the myriad attacks from Cl0p abusing the GoAnywhere MFT vulnerability back in February and throughout March.

Black Basta is considered a sophisticated threat actor and usually operates using double extortion tactics. 

First discovered in 2022, according to Kroll, it uses a range of unique tactics to conduct attacks to steal data and infect systems with its ransomware payload.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.