Capita breach fallout widens as customers learn of data theft

The fallout from Capita's cyber incident continues as customers say the British outsourcing giant has told them to assume that data was stolen by hackers.

The Universities Superannuation Scheme (USS), the U.K.’s largest private pension provider, said on Friday that the personal details of almost half a million members were held on servers accessed during the recent breach.

The USS, which uses Capita’s online pensions administration system Hartlink, said Capita informed it on May 11 that the personal details of 470,000 active, deferred and retired members had potentially been accessed. This data included members’ names, dates of birth, National Insurance numbers and USS member numbers.

“While Capita cannot currently confirm if this data was definitively 'exfiltrated' (i.e., accessed and/or copied) by the hackers, they recommend we work on the assumption it was,” USS said in a statement. “We are awaiting receipt of the specific data from Capita, which we will in turn need to check and process."

USS said it will contact affected members (and their employers, if applicable) as soon as possible to apologize and provide ongoing support and advice.

When reached by TechCrunch, Capita spokesperson Elizabeth Lee declined to say how many customers may have had data exfiltrated due to the April breach, or whether the company had the technical means, such as logging, to detect what — if any — data was accessed.

The Telegraph reports that the Capita attack affected as many as 350 U.K. corporate retirement schemes, "making it the largest such hack in British history." Other pension providers that use Capita’s Hartlink system include AT&T Pension Scheme, the Royal Mail Statutory Pension Scheme and Wincanton Pensions.

Capita said in mid-April that customers’ data might have been breached but added that it only had evidence of a “limited” loss of information which “might include customer, supplier or colleague data.”

While Capita claims data loss was “limited,” a non-public page on the leak site of the Russia-speaking Black Basta ransomware gang, seen by TechCrunch, showed samples of the stolen Capita data, which included bank account details, passport photos and driver’s licenses, and the personal data of teachers applying for jobs at schools. These files have not yet been shared publicly by Black Basta and it’s not known whether a ransom demand was paid.

A second security incident

Capita confirmed a second cybersecurity incident in May.

TechCrunch learned that the London-based firm left 3,000 files, totaling 655 gigabytes in size, exposed to the internet since 2016. At the time, Capita told TechCrunch that the unsecured bucket contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”

However, Colchester City Council on Friday confirmed that it recently learned of “the unsafe storage of personal data by its financial services contractor, Capita.” It said that the security lapse, which “affected several other local authorities around the country,” relates to historical data, though it’s not known exactly what data was exposed or whether the incident related to the May data breach.

Scott Collins, a spokesperson for Colchester City Council, confirmed to TechCrunch that the council's statement relates to Capita's May data exposure, and screenshots of the data seen show that data pertaining to Colchester City Council was included in the AWS bucket, which has since been secured.

In its Friday statement, Colchester City Council’s chief operating officer Richard Block said the council was “extremely disappointed” about the data breach and is “robustly addressing the matter with Capita.” Collins added that the company doesn't yet know the "full extent of the breach, nor the exact numbers involved."

Capita did not respond to TechCrunch's questions related to the second data breach.