Outsourcing giant Capita fears customer data stolen during ransomware attack

Capita, the British outsourcing company that provides critical services for the U.K. government, says hackers may have accessed customer data during a cyberattack last month.

The London-based outsourcing giant, whose customers include the NHS, the U.K. military, and the Department for Work and Pensions, said in a statement on Thursday that its investigation into the March attack unearthed evidence of “limited data exfiltration” which “might include customer, supplier or colleague data.”

Capita hasn’t said how many customers have been affected or what types of data were accessed. Russ Lynch, an agency spokesperson representing Capita, told TechCrunch the company would not comment beyond its statement.

However, a Sunday Times report claimed that the Russian-speaking Black Basta ransomware group, which claimed responsibility for the attack, published personal bank account details, passport photos and addresses, along with personal data belonging to teachers’ applying for jobs at schools.

The gang is also believed to be responsible for the recent attack on U.S. satellite television provider Dish.

At the time of writing, Capita is not listed on Black Basta’s dark web leak site, which ransomware groups typically use to extort companies into paying a ransom demand for not publishing stolen data.

Capita first confirmed that it had suffered an “IT issue” in late March, before later admitting on April 3 that a “cyber incident” was to blame for the disruption, which left staff unable to access its VPN for logging in and Microsoft 365 services. At the same time, Capita claimed it had “no evidence of customer, supplier or colleague data having been compromised.”

The cyberattack also disrupted some services Capita provides to clients. Reports claim that local authorities, such as Barnet Council in London, experienced disruption to customer service lines, and companies that use Capita for call centre services, such as cellular network O2, were also affected.

U.K. government services also experienced disruption, according to Cabinet Office spokesperson Conor Walsh, who told TechCrunch that the incident “primarily affected internal processes with minimal impact on government departments.”

“We are aware of the cyber incident which has affected Capita and continue to be in regular contact with the company,” the  spokesperson added. Capita holds £6.5 billion ($8bn) worth of public sector contracts, according to the Sunday Times.

In its latest update, Capita said that it has now restored “virtually all client services that were impacted” and said it has reinstated employees’ access to Microsoft 365.

Thursday’s statement also confirms that hackers first compromised Capita’s internal systems on March 22, around nine days before Capita “interrupted” the breach on 31 March.

“As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate,” the statement reads. “Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner.”

The Information Commissioner’s Office, which enforces the U.K’s data protection laws, confirmed to TechCrunch that “Capita has reported an incident to us and we are assessing the information provided.”