Skip to content

Capita messes up again as new cloud data leak surfaces

  • by
  • 2 min read

After an anonymous security researcher discovered an unprotected AWS bucket owned by outsourcing giant Capita which had been left exposed on the internet since 2016, the Colchester City Council has officially requested the company to provide additional information to confirm the extent of the breach as soon as possible. 

Capita was entrusted with the task of providing the council’s end-of-year auditing services for council tax and benefits. The task involves extracting information from the council’s secure systems but in the words of the council’s announcement, “recent events have brought to light the fact that Capita has failed to maintain the necessary standards for data protection”.

The benefits data files referred to here are classified as “historic data” and relate to the 2019/20 and 2020/21 financial years. This data, in addition to other similar information from other local authorities, was among the 655GB of data on the unsecured AWS data bucket controlled by the company. 

That said, the council did state that Capita has not only secured the data bucket and that the data leaked didn’t include any bank details. There’s currently no evidence of any malicious use of Colchester’s data either. However, the council wants additional information to confirm the extent of the breach anyway. 

Richard Block, Colchester City Council’s Chief Operating Officer said that while the council has been assured that no personal bank details were exposed, they expect “a full explanation and remedy from the company and for them to apologise directly to those affected”.

The announcement comes hot on the heels of Capita’s recovery from a ransomware attack in April 2023 where its employees were locked out of their accounts. The cyberattack was carried out by the Black Basta ransomware group, which had already listed Capita as a victim on their data leak site by April 17 claiming that they have access to personal and financial data including bank account details, physical addresses and passport scans. 

In the News: 30-second unskippable ads are coming to YouTube on TV

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: