Skip to content

Search the site

Capita ransomware attack will cost it ~£20m in remediation, as the company leaks more data

Qakbot and leaky buckets...

A cybersecurity incident at outsourcer Capita will cost it up to £20 million in “specialist professional fees, recovery and remediation costs and investment to reinforce [its] cyber security environment” it said on May 10.

That is equivalent to nearly its entire free cash flow in 2022 and a sharp reminder of how damaging successful intrusions can be. Capita has also now admitted grudgingly that “some data” was exfiltrated from its servers in the attack after telling press three weeks after the incident that there was no evidence of any data breach.

The £20 million figure seems to be an industry ballpark for post-ransomware recovery at scale: freight forwarder Expeditors, which was hit by ransomware in early 2022, later reported that the incident had cost $40 million in charges on lost shipping opportunities and a further $20 million in recovery, and remediation.

Capita is one of the UK government’s biggest contractors and handles a range of sensitive workloads. Capita has been castigated for its opacity over the incident, which it first reported on Friday March 31 and has since admitted may have involved access to its systems from March 22. Investigation by security researcher Kevin Beaumont using open source data suggests that it was breached via a Qakbot phishing campaign on March 21.

It appears that efforts to detonate a ransomware payload were swiftly dealt with by Capita.

Capita, four days after disclosure; weeks after the breach.

Follow 👉 The Stack on LinkedIn 👈

An earlier notice suggested that the incident “primarily impacted access to internal Microsoft Office 365 applications. Capita now says data was taken from “less than 0.1% of its server estate”, a fundamentally meaningless formulation however that dodges the question of the volumes of data taken or what it comprised and fails to acknowledge that data leaked includes highly sensitive personal data like people’s passports.

Capita has written to a range of clients including pensions clients suggesting their data may have been exposed. (The Black Basta ransomware group that initially claimed responsibility leaked a range of Capita documents onto its .onion site as part of what looks like standard ‘double extortion’ tactics before later removing them.)

Capita, which reported revenues of £2.8 billion in 2022, added today that it has “taken further steps to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments.”

It appears that there is still work to do on cyber hygiene at the company. Just last week security researchers identified an AWS bucket of Capita’s that had been exposed to the internet since 2016, exposing some 3,000 files totaling 655GB. As reported by TechCrunch on May 5, there was no password on the bucket, “allowing anyone who knew the easy-to-guess web address access to the files. Details of the exposed cloud server were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage.”

Capita told press that the bucket contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice” – a false claim that could be and was rapidly rebuffed simply by looking at some of the files exposed during the incident.

See also: So many bad takes — lessons from the Prime Video “monolith” story

Latest