UK outsourcer and public sector specialist Capita expects to incur “exceptional costs” in the region of £15m to £20m as a result of the March 2023 Black Basta ransomware attack on its systems, which saw clients left unable to provide vital public services for days, and has resulted in a major breach of customer data, including information held by pensions providers.
In a statement to the market issued 10 May, Capita said that these costs would include specialist professional feed paid to cyber security incident responders and forensics, recovery and remediation costs, and investment to reinforce Capita’s cyber security environment.
The organisation did not mention the impact of any regulatory penalties that may or may not arise over the apparent loss of significant amounts of data, some of which is known to have been circulating on the dark web. Nor did it say whether or not it has paid off the Russian-speaking Black Basta gang.
“Capita has continued to work closely and at speed with specialist advisers and forensic experts to investigate and resolve the cyber incident,” a spokesperson said.
“As noted previously, the unauthorised intrusion was interrupted by Capita which resulted in the impact of the attack being significantly restricted. Capita understands now, based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate.
“Capita has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident.”
Capita said it would continue to work closely with regulators, customers, suppliers and colleagues to notify any other parties who may be affected and not yet know it, and take “any remaining necessary steps” to address the incident.
It said it has also taken further steps to better ensure the integrity, safety and security of its IT infrastructure to “underpin its ongoing client service commitments”.
The organisation’s underlying trading performance remains in line with expectations despite the impact of the cyber attack, with group revenues up by just under 5% year on year (YoY) for the first four months of the year, and sales performance up 16%.
Meanwhile, reports have emerged that suggest that even reckoning without the impact of the Black Basta ransomware attack, Capita has been unwittingly exposing confidential data to the public internet for years thanks to a misconfigured Amazon Web Services (AWS) S3 storage bucket that had no password set.
The breach, which was flagged to TechCrunch by an unnamed security researcher, appears to date back to 2016, and affects about 655GB of data in 3,000 files. The researcher claimed the data included software files, server images, Excel spreadsheets, PowerPoint presentations and more. One of the files allegedly included login credentials for a Capita IT system.
Capita locked down the S3 bucket on being informed, and it is unknown whether or not it contained any customer data. The researcher additionally noted that they had had trouble finding an appropriate security contact within Capita, and that the organisation does not have a responsible disclosure policy in place.
Badly secured AWS S3 buckets are a frequent source of data leaks and have been used on multiple occasions by malicious actors to infiltrate their victims’ networks and move laterally to other systems – although there is no evidence to suggest that Black Basta used Capita’s bucket to conduct its ransomware attack.
AWS S3 buckets are private and secured by default – and as of January 2023, the service now encrypts data by default, too – so absent a targeted attack by an insider or a cyber criminal group, their contents can only be revealed by improper configuration and mismanagement.