The fallout from Capita’s so-called “cyber incident” last month has been slow and damning. After weeks of insisting that criminal hackers had merely disrupted internal systems, the outsourcing giant has confirmed this week that the damage was more than just an ‘incident’.
It was, in fact, ransomware.
Capita is one of the largest public-sector service providers in the UK, with £6.5 billion in contracts managing systems such as the BBC licence fee and the London congestion charge.
It also works extensively with the Department of Work and Pensions, managing its payment assessment systems, and has contracts with the NHS, National Cyber Security Centre, the Cabinet Office and other government agencies.
It’s unclear how many of these services have been compromised in this cyber attack, thanks to Capita’s taciturn response. The firm has revealed few details either publicly or to its supply chain, with some partners saying they only heard about the incident via text message and received no further updates.
As is often the case, the lack of transparency has left people angrier than the cyber attack itself. The Times has called Capita’s response a “crisis” – a far reach from Capita CEO Jon Lewis’s declaration two weeks ago that the incident “will go down as a case history for how to deal with a sophisticated cyberattack”.
How did we get here?
The problems began on Friday, 31 March, when Capita discovered what it would first describe as a “technical issue” and would later clarify was a “cyber incident primarily impacting access to internal applications”.
According to its statement, the “incident” disrupted some services provided to individual clients, but the majority of its client services remained operational.
It continued: “Our IT security monitoring capabilities swiftly alerted us to the incident, and we quickly invoked our established and practised technical crisis management protocols. Immediate steps were taken to successfully isolate and contain the issue.
“The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.”
“Working in collaboration with our specialist technical partners, including the team of leading cybersecurity experts at Microsoft Incident Response, we have restored Capita colleague access to various systems, and we are making good progress restoring remaining client services in a secure and controlled manner.”
Despite these promising signs that the breach was limited and that Capita was responding to the breach effectively, there were warning signs that something was amiss.
The Telegraph reported that a Capita source complained that “they had received no official updates about the IT outage” and only learned about the breach from a colleague.
“It is understood,” the Telegraph said, that “Capita sent mass text messages to its workforce urging them not to log into corporate IT systems, but many of those messages were not received”.
The Cabinet Office offered a different story, with a spokesperson saying that it was “aware of an incident affecting some systems within Capita and [was] in regular contact with the company as they continue to investigate the issue”.
What actually happened?
On 3 April, Capita revealed the first concrete details of its investigation, confirming that a cyber attack had resulted in outages for clients, including local councils. It added that the intrusion began on 22 March, around nine days before Capita “interrupted” the attack.
So far, so good. In most cases, identifying a data breach in nine days is something to be applauded. According to IBM’s 2022 Cost of a Data Breach Report, the average detection time is 197 days.
You can see why Capita’s CEO thought his organisation’s response effort was so memorable.
The only problem is that this wasn’t a typical cyber attack. It was ransomware, in which criminals use malware to rifle through an organisation’s systems, stealing vast quantities of data. In most cases, they encrypt those files and lock users out of their devices until a ransom is paid. It’s pretty hard not to notice that.
Indeed, Kevin Beaumont’s reporting on the incident suggests that Capita was aware that it had been infected with ransomware on 31 March, when it first disclosed the incident and told journalists that it was “too early to say if it was a cyber security attack”.
It took the organisation a further three days to confirm that it was a cyber attack, and it only revealed that it was ransomware after the perpetrators – a gang known as Black Basta – took responsibility for the attack and began selling Capita’s data on the dark web.
Capita says that, thanks to its intervention, the cyber attack was “significantly restricted” and affected only 4% of its IT systems.
“The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted,” it said.
It added that it “continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner”.
In an update, it confirmed that “there is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data”.
However, as has become a pattern throughout the fallout of this incident, there appears to be a discrepancy between what Capita says publicly and the evidence.
For instance, despite the above statement, its website still says that “there is no evidence of customer, supplier or colleague data having been compromised”.
According to stolen data that the criminals released publicly, the criminals captured an assortment of records. This includes bank account details for 152 organisations, personal data of applicants to primary and secondary school teaching positions, documents marked ‘confidential’, passport scans and security vetting information.
Given that the criminals choose to release this information as proof of the attack, it’s likely that they have a trove of other details that are more valuable.
What’s particularly concerning is the indiscriminate nature of the compromised information. The attackers also captured, for instance, floor plans for multiple buildings and an offer of employment for a teaching role in a primary school.
If the criminals stole records this specific, it suggests that they gained deep access to Capita’s systems, and there’s no telling what sorts of data were hidden within.
With Capita’s clients including the NHS and the DWP, it’s possible that the breach includes sensitive and special category data that are as valuable to criminals as they are damaging to the victims.
The good news for Capita is that it looks as though it didn’t succumb to the cyber criminals’ ransom demands. Gangs often threaten to publish their victim’s data online if they don’t pay up – in what is known as ‘double extortion’.
This is intended to give the organisations an added motive to negotiate, but the reality is that criminal hackers were leaking the data in most cases even when ransom payments were consistently successful.
There is no way to prove that the criminal hackers are deleting the stolen information – or even that they haven’t already used that information for fraud by the time they contact the organisation in an extortion attempt.
It’s one of the reasons that cyber security experts warn against ransom payments. Another factor is that whatever a cyber criminal does with the data, the information is still considered to be compromised in a legal sense, and organisations must report the incident according to their regulatory requirements.
Paying the ransom is never a good idea, no matter what a cyber criminal threatens you with. By this point, the damage has been done and your resources should be focused on responding to the incident and public relations.
The bad news is that Capita wasn’t clear from the outset that it had been infected with ransomware. These forms of attack have historically been stigmatised, because it suggests that the organisation has poor security measures in place and has lost control of its systems.
However, as attacks have become more common and the public gains a greater awareness of cyber security, these associations are fading. You can fall victim no matter how well prepared you are. The sign of a responsible and security-conscious organisation is one that handles the breach in an effective manner.
Capita’s response to the breach defies those ideals and creates a cloud of uncertainty. We can only wonder what the organisation was doing between the time that it was breached and when it was eventually forced to admit that it had suffered a ransomware attack.
Could it have been considering a pay-out in the hope that its systems could be restored and it wouldn’t have to disclose the scale of the breach? It wouldn’t be the first organisation to do that.
But ultimately it made the right choice. Transparency is always the best option, and although Capita left it late to reveal what went wrong, it can now begin its road to recovery.