Skip to content

Capita confirms stolen data in April cyberattack

  • by
  • 3 min read

Following its April cyberattack where Capita employees were locked out of their accounts on Friday after a cyber attack by the Black Basta ransomware group, the company has finally confirmed that some data was in fact extracted from Capita’s systems. It expects to incur costs of around £15 to £20 million because of the attack, including “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment”.

According to the company’s initial statement, it experienced a cyber incident on March 31 that primarily affected access to internal applications causing disruption to some services provided to individual clients. It was later clarified that the incident affected access to internal Microsoft Office 365 applications. 

By April 17, the Black Basta ransomware gang had already listed Capita on their victim data leak site claiming that it had access to personal and financial data stolen from the company including bank account details, addresses as well as passport scans. 

That said, Capita claims that the data extracted comprises less than 0.1% of its server estate “based on its own forensic work and that of its third-party providers”. The company’s previous notification dated April 20 claimed that the incident affected only about 4% of the company’s server estate with some evidence of “limited data exfiltration”. 

It also informed the Universities Superannuation Scheme (USS), the largest pension scheme in the UK that their members’ data was stolen in the incident with the threat actors having access to Capita servers containing details for nearly 470,000 active, deferred and retired members’ personal information. This data includes names, birthdays, national insurance numbers and USS member numbers. 

However, according to USS’ statement, Capita can’t confirm if this data was definitively accessed or copied by the hackers but recommends that USS works on the assumption that it was. They’re still waiting for the receipt of the specific data from Capita.

So far Capita has faced two major cybersecurity incidents in 2023. In addition to this cyber attack, an anonymous security researcher also found an unprotected AWS bucket owned by outsourcing giant Capita which had been left exposed on the internet since 2016. The bucket contained nearly 3,000 files worth roughly 655GB in size.

The security researcher had informed Capita of the breach in late April and the company secured the bucket within the week. The company hasn’t confirmed if this bucket is part of the April cyber incident but given the age of the database and the fact that it had been indexed by database search engines, it’s unlikely that the leak resulted from a cyberattack and was a result of negligence instead.

In the News: Google Bard isn’t available in the EU and Canada yet

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: