Capita has now confirmed that hackers did remove data from its systems and there is speculation that it may have paid ransom to the cyber attackers.
According to its website, Capita is a leading provider of business process services, driven by data, technology and people, delivering innovative solutions to transform and simplify the connections between businesses and customers, governments and citizens. It has offices throughout the UK (including Chippenham), Europe, India and South Africa.
Capita announced on 3 April 2023 that it had experienced a cyber incident which primarily impacted access to internal Microsoft Office 365 applications. Since the incident, Capita and its technical partners have restored its staffs’ access to Microsoft Office 365 and Capita has now restored virtually all client services that were impacted.
In a statement posted on the company website on 20 April, it stated that following investigations carried out with specialist advisers and forensic experts, it appears that the incident arose following initial unauthorised access on or around 22 March and was interrupted by Capita on 31 March.
According to the statement, as a result of the interruption, the incident was significantly restricted, but potentially affected around 4% of Capita’s server estate. They went on to confirm that there is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data. Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner.
On April 17, 2023, the Black Basta ransomware gang posted Capita on its extortion portal on the dark web, offering to sell stolen data to interested buyers unless the victim paid the ransom. Examples of alleged details obtained during the cyber-attack included personal bank account details, physical addresses, passport scans, and other sensitive information.
Whilst Capita made no mention of the Black Basta hackers’ allegations in its statement, Capita’s entry on the dark web portal has since been removed. This can mean that a ransom has been paid or one is being negotiated. Capita has not confirmed or denied if they have had any communication with the threat actors.