Fraud Management & Cybercrime , Geo Focus: The United Kingdom , Geo-Specific

Capita Data Breach Affects Britain's Largest Pension Fund

Signs Point to Data Theft, USS Says; Up to 350 Other Funds Potentially Affected
Capita Data Breach Affects Britain's Largest Pension Fund

Fallout from the March hack of Capita and accompanying data breach continues to mount.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

Up to 350 U.K. pension funds may have been affected by the data breach, which could make it one of the worst breaches in British history, The Telegraph reported Friday.

London-based outsourcing and professional services firm Capita, which has 50,000 employees, holds more than $8 billion in U.K. government contracts. Customers span government, IT, healthcare and education sectors and include the National Health Service, Britain's military, the Royal Bank of Scotland and telecommunications giants O2 and Vodafone.

Britain's largest pension fund, the Universities Superannuation Scheme, is among the organizations now warning individuals that their personal details may have been exposed by the data breach, leaving them at elevated risk of identity theft. USS manages $103 billion in assets and provides retirement and health benefits to members, who are academic staff. It said it uses Capita's Hartlink technology platform to manage its pension fund.

Last week, publicly traded Capita warned investors that cleanup costs from the hack attack and data breach could reach $25 million. A ransomware group claimed credit for the attack (see: Elementary Data Breach Questions Remain, My Dear Capita).

USS reported that on Thursday it learned from Capita that personal details on around 470,000 active, deferred and retired members may have been accessed when hackers breached Capita's servers. At-risk details include each individual's name, birthdate, National Insurance Number and USS member number, but it said members' account login details were not stolen.

"While Capita cannot currently confirm if this data was definitively 'exfiltrated' - i.e., accessed and/or copied - by the hackers, they recommend we work on the assumption it was," USS said.

USS said it had notified Britain's Information Commissioner's Office, Pensions Regulator and the Financial Conduct Authority about the breach of personal data.

Capita issued its first incident notification on March 31, saying it was experiencing a "technical issue" preventing some customers from accessing Office 365 services. Initially, the company said it didn't appear data had been stolen. As is typical with many breach probes, by mid-April investigators had found evidence that data was indeed stolen (see: Data Breach Notifications: What's Optimal Timing?).

On April 21, the ICO, which enforces the U.K. General Data Protection Regulation, said in a statement that "Capita has reported an incident to us and we are assessing the information provided."

The ICO reminded any organization affected by the breach that under law, it is required to notify the ICO "within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms," and carefully document their response regardless.

Diageo Alerts Pension Fund Users

London-based drinks giant Diageo, which uses Capita to administer its pension fund, has also begun contacting pension fund users to state that their personal information is likely to have been exposed in the breach.

"During the course of April, Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it," reads a copy of the message sent to a pension fund member and obtained by The Scotsman. "However, on 3 May, Capita told us that it is likely a file containing your data had been compromised."

The letter says Diageo will be offering affected pension fund users a 12-month prepaid subscription to an Experian identity theft service.

Colchester Warns Residents

Pension funds are not the only entities affected by the breach. Authorities in Colchester, a town in southeast England, last week warned residents that their personal data had been exposed due to "the unsafe storage of personal data by its financial services contractor, Capita."

"The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita," said Richard Block, chief operating officer of the Colchester City Council. "I want to reassure all residents that we are taking steps with Capita to fully understand how they have caused this data breach as well as any further action required."

Capita CEO Jon Lewis told The Sunday Times for a report published April 9 that his firm's response to the hack attack "will go down as a case history for how to deal with a sophisticated cyberattack."

When it came to declaring that ransomware was involved, Capita was beaten to the punch by the Russian-language ransomware group Black Basta. On April 8, the group listed Capita on its data leak site, together with samples of stolen data. Shortly thereafter, Black Basta removed the listing for reasons that aren't clear. Sometimes groups do that if a victim pays a ransom, although it's also possible a crime group paid for exclusive access to stolen data.

On April 20, British security expert Kevin Beaumont reported that based on open-source intelligence, Black Basta appeared to have first infected Capita with Qakbot - aka QBot malware - on March 21. In a typical Black Basta attack, he said, an average of 500 gigabytes of data is exfiltrated. The ransomware group apparently then attempted to crypto-lock Capita's systems on March 31, at which point the firm spotted the attack, shut it down and began restoring systems.

"From a technical containment point of view, based on public statements, it appears this went very well - within days of the outage they had the situation under control," Beaumont said. "Nobody sane would challenge that, and Capita should be applauded for the initial containment."

He questions, however, whether Capita has been sufficiently transparent, not least with its initial focus on the Microsoft 365 outage and continuing failure to ever utter the word "ransomware."

Did Capita Pay Attackers?

Colchester's alert to residents says at least several other local governments appear to have been affected and that it has been told that the exposed information "has now been secured."

That assertion echoes the data breach update issued Wednesday by Capita, which states that it "has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident."

Whether Capita is alluding to having paid a ransom in return for a promise from attackers to not sell or leak the stolen data - experts say such promises are meaningless - remains unclear. Capita didn't respond to a request for comment.

While customers of Capita's services have expressed frustration over the breach, none have publicly vowed to drop the company.

"We are taking swift and decisive action to investigate the situation and ensure Capita's processes are improved to avoid any future breaches," Colchester's Richard Block said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.