Victims of 2023 Capita data breaches head to High Court

Ordinary people who believe their personal data was compromised in two different cyber incidents that affected systems at Capita in 2023 – one a ransomware attack claimed by the Black Basta syndicate; the other an accidental leakage of data stored in an unsecured AWS S3 bucket – are heading to the High Court of England and Wales as a group action lawsuit led by Manchester-based Barings Law moves forward.

Legal proceedings against the outsourcing giant were formally triggered on 12 January 2024, and Barings Law is now representing more than 5,000 people. It claims that about 50 new claimants are coming forward on a daily basis.

The law firm said its own investigations had found “alarming potential breaches” of information, including compromised emails, passport data, home addresses and fraudulent purchases made via victim bank accounts.

“Our High Court action speaks volumes, echoing the concerns of thousands of distressed individuals whose privacy was jeopardised. It’s time to ensure that corporations prioritise safeguarding the digital trust we all rely on,” said Barings Law head of data breach Adnan Malik.

“Data breaches are not just about ones and zeros; they’re about lives and the trust people place in organisations. The Capita data breach isn’t just a case; it’s a wake-up call for corporations to prioritise the protection of sensitive information, and we won’t rest until justice is served.”

Malik said this could potentially be one of the largest data breaches ever seen in the UK. “Aside from people’s pensions being affected, the testimonies from our clients reveal some very concerning details ranging from potential huge financial impact to highly sensitive details being compromised.”

“Data breaches are not just about ones and zeros; they’re about lives and the trust people place in organisations. The Capita data breach isn’t just a case; it’s a wake-up call for corporations to prioritise the protection of sensitive information, and we won’t rest until justice is served”

Capita, which expects the Black Basta cyber attack to end up costing it between £15m and £20m, has previously said the data it knows to have been stolen was extremely limited, and was taken from less than 0.1% of its overall server estate.

That said, a not-insignificant number of its customers were impacted, including multiple pension funds, and NHS England, from which a minimal amount of data was taken. The breach that arose via the unsecured Amazon bucket similarly impacted local authorities and included details of benefit claimants. 

Malik added: “While acknowledging Capita’s own victimisation in this cyber attack, the projected £20m it will cost them, though substantial, appears almost trivial given their ample resources.

“Conversely, our resilient clients, who’ve poured their sweat and soul into life’s endeavours, now confront the heart-wrenching reality of losing everything they’ve worked so tirelessly to build,” he said.

“Our pursuit of justice doesn’t just send a message; it roars one into the void – data breaches exact a toll that reverberates and serves as a poignant reminder, urging companies to imbue their actions with empathy, to safeguard personal data they hold.”

A Capita spokesperson told Computer Weekly: “There is no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity. Whilst we don’t comment on specific ongoing legal matters, we strongly reject any suggestion that there is any valid basis for bringing a claim against Capita.”