Downstream breaches of Capita customers spreading

The impact of two separate cyber security incidents at Capita continues to spread as more and more of the organisations’ customers report downstream data breaches, with the data of hundreds of thousands – potentially millions – of private individuals likely affected.

As many as 90 organisations say they have now seen some impact, according to the BBC, which cited updated figures from the Information Commissioner’s Office (ICO).

Among them are multiple pension funds which used the company’s Hartlink service, a supposedly secure website that enables people to manage their pensions. These include firms such as Diageo, Marks and Spencer, Royal Mail and Unilever.

Capita’s systems were attacked at the end of March, causing a multi-day service outage for many of the organisation’s public sector customers. At the time, Capita’s crisis communications operation claimed that there was no evidence of customer data being compromised but this has now proved to be untrue.

It has also subsequently emerged that Capita left confidential data exposed to the public internet for a number of years, having failed to correctly configure an Amazon Web Services (AWS) S3 storage bucket.

“We are aware of two incidents concerning Capita, regarding a cyber attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries,” the ICO said in a statement.

The regulator said it was continuing to encourage Capita customers to check their exposure to these incidents and if necessary, to consider reporting breaches to it.

Organisations are obliged to notify the ICO within 72 hours of becoming aware of a personal data breach unless it poses no risk to people’s rights or freedoms.

Even if an organisation chooses not to report, it must maintain records of the breach and be able and prepared to explain why it did not do so, should circumstances change.

ESET global cyber security adviser Jake Moore said that when personal data was compromised, it made breaches far more impactful, and warned that it might be years before exactly what has happened at Capita becomes clear.

“The knock on effects of this attack have been brutal and highlight the full extent of a typical, modern-day cyber attack,” said Moore. “Exposure of sensitive data can create problems for customers who are often left unbeknown of the full outcome of their information being stolen.

“Whether people have been warned or not, people should remain vigilant of distinctive follow on threats. People should remain on guard to potential malicious communications even if it sounds plausible and verified with corresponding data due to fraud and identity theft possibilities.”

Jamie Akhtar, CEO and co-founder of CyberSmart, added: “This story might become one of the best examples of the cyber security risk supply chains pose…If you’re part of a supply chain, cyber criminals will try to target you sooner or later – the opportunity to cause disruption or steal important data is too good to pass up.

“So, we urge businesses of all sizes to think about their supply chain and the risks within it. If you’re unsure where to start, the NCSC’s ‘mapping your supply chain’ guidance is a great jumping-off point.”