Capita Hack: A Case Study of What Not To Do…

May 5, 2023

In this week’s bulletin, Charlie discusses Capita’s response to its recent cyber attack and gives an insight into how organisations should communicate with their customers after a potential breach.

I have been meaning to write something on Capita since I was aware of their hack about a month ago. Shortly after it happened, I went on holiday, so I didn’t really follow what happened. However, over the last few days, I have been doing some research to understand what went on and get my thoughts together. I think you need to wait sometime after a cyber incident to write an article, as it usually takes some time for the incident to unfold, and the consequences and impacts become clear.

As I said when I wrote about the Arnold Clark hack, I have no insider knowledge of their response, and have used public sources for the details of what has happened. This bulletin is very much my opinion and interpretation of the publicly available facts, so there will be facts and events which I am not aware of, which could account for why they have responded in a certain way.

I thought as a framework for this bulletin, I would use my “marks out of 100” framework to review their response.

About Capita

Capita is a large outsourcing company based in the United Kingdom. The company specialises in providing business process outsourcing, professional support services, and technology-enabled solutions, to both public and private sector organisations. The company has a significant presence across various industries, including: government, healthcare, local authorities, finance, telecommunications, and transportation. Capita’s range of services encompasses customer service, HR and recruitment, IT services, software development, consulting, and data management, among others. Capita provides cyber services as it mentions on its website “Providing robust, effective, and scalable security solutions”. Capita, for the last few years, has lost contracts, earning the name ‘Crapita’ and under CEO Jon Lewis, has been working to turn around contracts. Capita announce a successful year, a month before the cyber-attack, saying they made a ‘turnaround in our underlying financial performance, with increased adjusted revenue growth, profitability, free cash flow, and a material reduction in net debt”.

What Happened

On the 31st of March 2023, Capita suffered a ‘technical issue’ which three days later, they admitted was a cyber-attack. Staff were unable to access their work systems, as well as affecting clients, such as local authorities. Oxfordshire, Barnet, and Lambeth all announced that their phone lines were disrupted at the weekend because of the hack. By Monday, some savers at Phoenix Life, a closed life insurance business, were unable to withdraw their funds, because part of the company’s systems had been provided by Capita[1]. In Capita’s first announcement of the breach, they said “there is no evidence of customer, supplier, or colleague data having been compromised”, but after a Sunday Times article on the 16th of April claiming that the paper had seen personal bank account details, addresses and passport photos now being leaked online, on the 20th April Capita admitted in a statement that “There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier, or colleague data”[2]. In Capita’s first statement they mentioned the attack was on some internal applications, but in their second statement, gave further information, saying there was ‘primarily impacted access to internal Microsoft Office 365 applications’.

Figure 1 – Capita’s cyber incident timeline

Review of Their Response

So, was their response a case study of what not to do?

I have marked each element of their response with a score to give a total score out of 100. At the end of this bulletin, there are a couple of other organisations’ scores which you can compare against this response.

Business Impact

Impact on their business model and long-term ability to retain and grow customers.

With the contracts they have and their central position in the delivery of government services, I think Capita is presently considered ‘too big to fail’. If all the data they hold were to be compromised, it would become a national issue rather than just a company problem. The company’s new CEO is currently working on turning the company around and has recently announced positive results prior to the hacking incident. However, Capita’s mishandling of this incident may serve as a reminder to governments about their reliance on a single company, supplier risks, and potentially prompting them to diversify their risks in future contract negotiations, by not using Capita. On the other hand, governments may lack the necessary in-house skills to carry out certain tasks and depend on outsourcing them. If Capita is successfully delivering services, there may be political reluctance to switch to another provider due to concerns and risks involved with the transfer to the new supplier. This incident may make potential customers rethink if they want Capita to bid for their services, so they may get ruled out of some contracts. It might also deter organisations from using their cyber services. In conclusion, this situation may lead the government to reconsider its reliance on Capita and could potentially mark the beginning of a decline in outsourcing services. Nevertheless, in the short-term, the government remains heavily dependent on Capita to provide essential services, therefore this incident will have little impact.

Marks out of 15 – 11

The standing of the organisation before the cyber incident and the loyalty of its customers

Capita, prior to the incident, didn’t have a great reputation and so this incident may play into that narrative, although as we have seen from the answer to question 1, it is very difficult in the short-term for their customers to switch suppliers.

Marks out of 5 – 3

Response

Public and media sentiment on how well the incident has been managed

There has been heavy criticism of Capita in the non-tabloid media and their reluctance to provide information about the breach. Initially, they referred to the incident as a ‘technical issue’ and only admitted it to be a cyber incident three days later. They have been following the same poor response as Arnold Clark did. They stated that they didn’t believe any data had been lost. However, four days later, after a national newspaper reported that alleged hackers – Black Basta –  had released data, Capita finally acknowledged that there was evidence of limited data exfiltration. Currently, the Pension Regulator and the FCA are contacting all organisations whose data Capita is involved in processing, advising them to ensure their data hasn’t been compromised. This suggests a lack of trust in Capita’s previous statements on the matter. The crisis communications principle of ‘it is not the initial event which causes the damage, it is the cover-up’, seems to be applicable here. Capita’s limited disclosure of information and delayed response gives the impression that they are attempting to cover the incident.

Marks out of 10 – 4

Time between discovering the hack and informing those affected

I wrote this on the Arnold Clark response, and it is equally applicable here. When I teach cyber incident management, I tell students as soon as they hear an organisation has had a cyber incident that has had any major impact on the organisation, or they admit to having a ransomware attack, you can likely deduce two things. Data is likely to have been locked and data will have been exfiltrated. It may take some time for the organisation to confirm that data has been lost and what the data is, but you must work on the presumption that data has gone outside of the company. Often, the ransomware gang will contact you, and tell you in the ransom note that they have your data, so you can’t pretend that you don’t know data has left the organisation.

Capita said they had no evidence that data had been compromised. I am not sure that statements like this are good enough, knowing that ransomware attacks usually take data. It looks like a cover-up, especially when they later have to admit they have lost data. So, the statement is technically true, but I think these are ‘weasel words’.

There was a tweet on the 8th of April (see figure 2) saying that Black Basta had put their data on their data compromise site. It then took Capita another 12 days to put out a press statement to say that they had lost data. Were their forensic experts not monitoring the dark web so they could have alerted the company that there was definitely a data breach, as soon as the data was posted? Even after the Sunday Times article, it still took Capita another 4 days to put out a press statement. In the Sunday Times article, it said that people had not been told by the organisation their data had been compromised. As we know, for every day that you are not told your data has been compromised, it is another day when you are vulnerable and not on your guard.

Figure 2 – Tweet first announcing Capita data loss

Marks out of 10 – 2

Communications

Appropriate media strategy and tone used to frame communications. 

There appears to be a media strategy of saying as little as possible and only putting out a statement when they are forced to. The use of ‘currently some evidence’ and ‘limited data exfiltration’ and ‘a small proportion of affected server estate’ seem like Capita are downplaying the incident, but at the time, ensuring they don’t lie. Words matter, and this use of language just says to me ‘we just want this to all go away and we are going to tell you the absolute minimum we can get away with’. There has also been no apology or contriteness from the company. Loss of personal data affects people, and can have a large impact on them, there is no acknowledgement of this in their statements.

Marks out of 10 – 4

Appropriate and timely information on the incident is being provided to those who need it.

‘Too little, too late’ is my impression of their public communication. There may be information channels going between the company and their customers, but all the information I have read appears to be from public statements, rather than anything told by them to customers, and then leaked to the press. I think it will take some time for the true impacts and what has been done to come out.

Marks out of 10 – 4

Use of the website to provide information to those affected

The information, as said before, is short and sharp and downplays the incident. You can find information in the news section of the website, but there is no visible mention of it on the first page of their website.  

Marks out of 10 – 4

Providing support to victims and where they can go for help and the timeliness of this help provided.

This is a B2B business so they don’t deal with the public, and so there has been no public information to date on how they can protect themselves. I would hope, if public personal information has been exfiltrated, then guidance should be given. There has been no class action advertising yet, but I just wonder if a lot of non-staff data has been breached, then there could be one.

Marks out of 10 – 6

Visibility of senior managers / CEO

In all communications, there has absolutely been no visibility of the CEO in the response, although it was mentioned that he was due to go on holiday just after it happened, and cancelled going away. This is good practice but good practice also says that the CEO should be visible in the response. Perhaps he is worried about his own career and image and doesn’t want to be associated with this incident!

Marks out of 10 – 3

Using social media channels to signpost fuller information on the hack

Capita doesn’t seem to use social media much, and there are two tweets in the incident, one on the 31st March acknowledging that there is a technical incident, and a second one on the 3rd of April pointing to the first press release.

Marks out of 10 – 4

Conclusion

I personally believe that this incident is a significant embarrassment, not only for Capita, but also for the organisations that rely on Capita to deliver their part of their operations. I checked several organisations’ websites, which newspaper articles claim receive services from Capita, and found no mention of the hack. It seems that Capita’s customers are also keeping a low profile and hoping that the incident will quickly fade away. However, the fact that regulators have asked the organisations they oversee to review their exposure to the breach, keeps the story in the public eye, and prolongs the incident.

Capita claims that the cyber incident impacted Microsoft 365, which presumably includes emails. We often overlook the vast amount of information transmitted via email, not only in the body of the message, but also as attachments. It makes me wonder if the data released by Black Basta were email attachments, resulting in a potentially diverse mix of documents being exfiltrated.

Choosing to say as little as possible, avoiding transparency and honesty, in my opinion, is not a great strategy for Capita. This approach has increased the impact on them, and only in the long-term will we see if this incident is just a temporary setback on the road to their recovery, or the beginning of a slow decline.

Total marks out of 100 – 47

Other Cyber Marks out of 100

New Zealand Stock Exchange DDoS attack, September 2020 – 65

Easyjet hack, May 2020 – 58

Arnold Clark – 48

[1] https://www.thetimes.co.uk/article/capita-it-outsourcer-reels-from-being-locked-out-of-its-own-it-dhk9lgnd6

[2] Capita statement on website – published 20th April 2023

Sign-up to our Newsletter

"*" indicates required fields