Capita admits to possible data breach

24 April 2023 5 min. read

IT outsourcing firm Capita has stated that its customer, supplier and colleague data may have been accessed by hackers. The firm is currently investigating an attack on its systems from March 2023.

Capita is a professional services firm, which provides IT consulting and outsourcing services to clients across the private and public sector. The trusted status of the firm, which counts local tax authorities, the Royal Navy, and Network Rail among its clients, has seen it become the latest in a rash of service providers to be targeted by hackers.

Recent attacks have affected WH Smith and Royal Mail's international parcel services, and now Capita has confirmed that around the 22nd of March 2023, the company was also stung by a cyber-attack. According to a release from Capita, the unauthorised access was not interrupted until the 31st of March – and the firm admitted that as the hackers had primarily impacted access to internal Microsoft Office 365 applications, the was evidence of a "limited" data breach.

Capita admits to possible data breach

Among the companies using Capita for call centre services, it is understood that brands including O2 were impacted by the activity. A number of council customer service lines are also said to have seen outages, though Capita insists that as only 4% of its server estate was hit, the majority of clients were unaffected.

Staff access to Microsoft Office 365 has since been restored for Capita, but the full extent of the event is still unknown. According to a report from Sky News, Capita is continuing an internal probe into the attack, to discern to what extend customer, supplier or colleague data may have been accessed.

A comment from Capita noted, "Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner."

Recent years have seen consulting firms release a growing mound of papers warning clients about the dangers of lax cybersecurity measures. However, Capita is not the first professional services company to have been caught in a breach of its own.  In 2017, Accenture was fortunate to avoid being added to the list of victims, when it emerged that the company’s data hosted on Amazon’s S3 cloud data-base was left unsecured. A security researcher discovered four AWS S3 storage buckets configured for public access, leaking internal emails, passwords, client data, and sensitive documents.

Three years later, thousands of UK business professionals also had their personal details exposed online via a leaky Amazon Web Services bucket. Researchers discovered files belonging to multiple consulting firms, which were thought to have been left publicly viewable with no authentication by a London-based company known as CHS Consulting. The bucket contained files from the HR departments – including passport scans, tax documents, criminal record information and background checks – of multiple UK consulting firms including Eximius Consultants, Dynamic Partners and IQ Consulting, with the data stretching back as far as 2011.