IT outsourcer Capita has admitted its “cyber incident” resulted in a data breach, with “around 4%” of its server estate impacted.
It said “there is currently some evidence of limited data exfiltration” and that the data “might include” customer, supplier, or colleague data.
The announcement is the most transparent account of the incident, the details of which have been speculated for weeks.
Capita said that the “cyber incident” mainly affected staff access to Microsoft 365 products, but this access has now been restored.
The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted,” it said in a regulatory notice today.
Capita said investigations have shown that the intrusion began on 22 March and was “interrupted” by the company on 31 March.
That day, Capita said it was experiencing “an IT issue” but it wasn’t until 3 April that it described it as a “cyber incident”.
Modernising identity for a secure, agile hybrid workforce
Pave the way towards a modern, secure, efficient, and sustainable hybrid workplace
Ransomware group Black Basta claimed responsibility for the attack, posting a number of documents online, but Capita has still not named the group in public-facing communications.
Earlier this week, Capita emailed shareholders explaining that they were still investigating whether the leak was genuine and if the files actually came from Capita, suggesting they could have come from other sources or the public domain.
The files included in the leak were sensitive in nature, such as passport scans, job applications, building floorplans, documents marked ‘confidential’, and files related to “Capita Nuclear”.
Capita’s client list includes major organizations in the UK including mobile operators O2 - the call centers of which experienced outages - and Vodafone; the NHS; various government departments such as the Department for Work and Pensions; plus the British Army and Royal Navy, among others.
According to industry expert Kevin Beaumont, threat intelligence data, which does not appear to have been made public, indicated earlier this week that Capita’s endpoints were found in their monitoring telemetry for Qakbot malware over a week prior to Capita’s announcement of an IT incident.
“In English, Capita had hackers inside for weeks,” he said.
If true, the data would confirm Capita's admission that the intrusion began in March.
Black Basta take a week or two to do data exfil before attempting to encrypt. Capita attempting to talk about just the final stage is a huge gamble that could cost them up to 4% of their total global turnover, and be the textbook example of how not to do this. Ethically poor.April 16, 2023
Although Black Basta is a known ransomware group, there is currently no indication that the incident involved the group’s encryptor.
If operating under a pure extortion model, the attack follows several in recent weeks from known ransomware gangs opting to avoid using encryptors in their attacks.
ALPHV’s attack on Western Digital appears to be a pure extortion incident, as does the myriad attacks from Cl0p abusing the GoAnywhere MFT vulnerability back in February and throughout March.
Black Basta is considered a sophisticated threat actor and usually operates using double extortion tactics.
First discovered in 2022, according to Kroll, it uses a range of unique tactics to conduct attacks to steal data and infect systems with its ransomware payload.
