Capita, a UK-based business process outsourcing firm, has warned customers to assume they have stolen data due to a cyberattack in early April. The company disclosed the attack nearly six weeks after the incident and has informed the Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, of the possibility of hackers stealing their members’ data.
Over 500,000 members from UK universities and higher education institutions pension is under the management of USS, which has also invested £82.2 billion ($102 billion) on their behalf. Capita revealed that servers accessed by the hackers contained personal information of approximately 470,000 active, deferred, and retired members, including names, dates of birth, National Insurance numbers, and USS member numbers.
Although the company cannot confirm the exfiltration of the data, they recommend USS should assume that it was. The company has reported the incident to the ICO and informed the Pensions Regulator and the Financial Conduct Authority.
According to industry sources, up to 350 UK corporate retirement schemes were impacted by the Capita attack, making it one of the largest hacks in British history. Initially, Capita described the attack as a “technical problem” but later acknowledged it was due to a cyberattack.
The Black Basta ransomware gang on April 17th added a private entry for Capita to its data leak site, threatening to sell allegedly stolen data, including personal bank account details, physical addresses, passport scans, and other sensitive information. Capita has declined to comment on the allegations made by the ransomware gang. Capita disclosed on April 20th that the attackers exfiltrated files from about 4% of its “server estate,” including systems customer, supplier, or colleague data after accessing Capita’s systems on March 22nd and remaining active until March 31st, when the breach got discovered.
Capita published another update on May 5th, stating that less than 0.1% of its server estate had data exfiltrated. The company expects to incur up to £20 million ($25 million) cost associated with the April incident.
With customers including the Department for Work and Pensions, the National Health Service (NHS), the UK military, as well as high-profile companies such as Vodafone, O2, and the Royal Bank of Scotland, Capita remains a government contractor actively serving clients in finance, IT, healthcare and education sectors.
