The Guardian (who are themselves working out of a pub still due to a ransomware attack in December 2022) are reporting #Capita (a major IT supplier) have a "IT incident", staff have been told to not use VPN, and they are working with pen and paper since this morning. Thread follows. https://www.theguardian.com/business/2023/mar/31/capita-it-systems-fail-cyber-attack-nhs-fears?CMP=share_btn_tw
I had forgot how big Capita are. It's like 492304932 different business units. Shodan Safari is like looking into the sun.
It looks like some of the plc centrally use Okta for authentication.. I hope they enabled Number Verification.
The Times just filed a piece saying the #Capita outage is ongoing and hitting "every division" (only one source, not sure I buy it), with staff getting verbal 'round robin' updates. https://www.thetimes.co.uk/article/2a6270b8-cfbd-11ed-9a00-73fd2b90e22e?shareToken=1df09835bc32a38e9b8ae2b0e7556097
The Times reporter is being verbally briefed as #Capita still don't have email (almost 10 hours in).
They're told: 'There appears to be no risk to personal data processed by the business. The outage seems to be is hitting Office365 programmes including Outlook, Excel and Teams rather than client systems...'
Financial Times have a new article up about #Capita, saying two people familiar with the matter say cyber incident cannot be ruled out.
Curiously all the media articles about it this evening talk about the IT incident in the past tense - but it is still ongoing, it hasn't been resolved.
https://www.ft.com/content/00f9591f-e07a-4339-ba3e-413818602515
Verbal update from #Capita - they’re still restoring internal service, “there is no evidence that any data has been compromised."
They won’t discuss what is happening.
#Capita has been in contact with people at the NCSC and NCA. Interesting an IT supplier would rather talk about a 3 day ongoing IT incident than mention the cyber word.
Latest statement from #Capita - 3 days in they have restored their Office 365 access, and are now trying to restore their customer’s services. “Working in collaboration with our specialist technical partners, we have restored Capita colleague access to Microsoft Office 365 and we are making good progress restoring remaining client services in a secure and controlled manner.”
The Times have a report up saying #Capita NHS services staff are working using WhatsApp and Google Drive, rather than approved Microsoft tooling.
Massively concerned by lack of transparency, going to start digging into this tomorrow with officials. https://www.thetimes.co.uk/article/capita-dogged-by-it-problem-for-three-days-wthl2zp5v
#Capita finally admit they have a cybersecurity incident. No details about what is happening, it’s a regulatory notification. They had been privately briefing customers it wasn’t security related. https://www.londonstockexchange.com/news-article/CPI/statement-re-cyber-incident/15901425
I am told various UK regulatory authorities are beginning to look into what has happened at #Capita as there is varying degrees of concern about different elements, e.g. disclosure to customers and ongoing data access.
#Capita have changed their website frontpage to be a response to the cyber incident.
#Capita are listed on Black Basta ransomware portal as a victim.
They posted various screenshots of access to personal data (e.g. passport scans), security vetting, nuclear BACS payment details, architecture diagrams, school reports etc - Capita customer data.
http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/?id=CAPITA
#Capita's breach is also being sold on the portal, you can pay cryptocurrency for "Remote exclusive server with data of "CAPITA""
Black Basta focus on data exfiltration, traditionally using rclone. Prior reading: https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
I took a look at Capita’s ransomware incident, and look at what they’ve told the media and customers versus the reality of what has happened.
Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.
The Times website has a report this evening about the Black Basta breach of Capita. Capita still deny there is any evidence of data being compromised.. in a story that even includes details of Capita’s office floor plans leaking. #ransomware
#Capita are apparently now known as the "BBC license fee firm"... which might explain why BBC News haven't even mentioned the initial outage I guess. https://www.bloomberg.com/news/articles/2023-04-16/data-feared-stolen-at-bbc-licence-fee-firm-amid-hack-telegraph
The Record reports #Capita is "...understood to be working to establish whether the data is authentic or if the extortion group had cobbled it together from other sources."
Maybe the source is cobbled together from Capita Business Services... or Capita Nuclear. Or one of the other Capita business units in the #BlackBasta portal. https://therecord.media/capita-investigates-authenticity-data-leak
Capita data breach has made BBC News. Capita still pretending it isn't happening.
After two weeks of telling press and customers privately my blog was inaccurate, suggesting the leaked data was public domain, denying it was ransomware etc.. #Capita have now admitted a data breach.
They’re still not giving full story or admitting Black Basta, more to come on how to defend your org.
Btw, Capita handle all security clearance - DV and SC - for sensitive jobs and data access. Not great they got owned by Russian hackers and then tried to ineptly cover it up.
I've written a post on the #Capita ransomware breach, which potentially has national security implications in the UK.
- Includes technical steps orgs can take to protect themselves from a similar situation
- A call to arms on a change in how organisations handle ransomware incidents, makes case for transparency
The ICO in the UK have issued a statement about #Capita incident. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/ico-statement-on-capita-incident/
It's a month since Russian hackers first got into #Capita, on March 22nd.
Black Basta also list Capita as CAPITA_2, just noticed - two listings.
Really interesting piece in The Times, where Capita claim that they informed clients they were hacked at 11am on Friday 31st March (the first day) and kept them briefed.
Anybody agree or disagree this was true? https://www.thetimes.co.uk/article/silence-is-deafening-after-cyberattack-on-capita-dgns935gz
BBC report on the Pension Regulator concerns about the data breach at #Capita.
Capita administer pensions for around 4 million people. https://www.bbc.co.uk/news/business-65443841
The FT also have a story on it, where Capita refuse to confirm or deny the Black Basta thing. Super crazy as they definitely know what happened. https://www.ft.com/content/c4383788-e27b-48ea-bd72-044c01841926
#Capita were still listed unindexed on Black Basta's portal, so I entered a chat and asked Black Basta if they hacked Capita.
Black Basta erased the chat history, and removed CAPITA and CAPITA_2 from their portal just now. Previously, Capita declined to comment about communicating with Black Basta to @BleepingComputer
The Financial Conduct Authority has written to Capita’s customers, reminding them of their responsibilities when it comes to data breach at Capita. https://www.ft.com/content/9a6c1e80-6302-4749-8841-3c5971d5d1cd
Financial Times reports that pension data has been exfiltrated from Capita’s customers, and that the ICO says they have received “other breach reports believed to be in connection with the Capita incident” from Capita’s customers. https://www.ft.com/content/baa794ff-90dc-4d6c-a930-64dae7391940
The Sunday Times newspaper has a big feature about ransomware today, featuring me, @ciaranmartin, @brett
I just want to call out this bit about Capita and say their failure to acknowledge the fact they lost security vetting data impacts real people, at a scale way bigger than one person - I think it is ethically poor that Capita just deny stuff that matters.
https://www.thetimes.co.uk/article/how-hackers-are-recruiting-on-the-dark-web-mpl2hvsss
#Capita have issued a market update and confirmed data exfiltration. They wordsmith it to be data exfil from 0.1% of their server estate, rather than data volume or what was taken. They also use the cyberattack update to boast revenue wins.
However, the company could use the cyber attack to its advantage, he added.
“If Capita is smart it’ll come out of this saying we’ve more experience of handling this than anybody else, you should be using us, because we know what we’re doing and we employ leading experts in this field,” Rawlinson said.
Lmao, that’s one take.
https://www.ft.com/content/20aa4844-2ebe-44dc-9550-7d950150e784
Friday evening news drop: USS lecturers’ pension fund may have had their personal details stolen during the recent cyberattack on the outsourcing firm #Capita. https://www.uss.co.uk/news-and-views/latest-news/2023/05/05122023_important-information-about-capitas-cyber-incident
By ‘may have been exfiltrated’ in that scenario, Capita mean ‘the attacker definitely rcloned the entire server to a VPS provider’, just FYI to pension companies.
The Telegraph reporting that, aside from USS, around 350 other pension providers are impacted by hack of Capita, with millions of pension holders requiring notification - they call it the largest hack in British history. https://www.telegraph.co.uk/business/2023/05/12/capita-hackers-steal-personal-data-350-funds-hack/
One month ago Capita’s CEO claimed their response to the attack would “go down as a case history for how to deal with a sophisticated cyber attack” - while denying any data exfiltration, and blaming the incident on a single staff member clicking a link (that bit was behind a Times paywall).
I suspect Capita’s board should be asking if somebody opening a file is the real cause of the issue - or if it’s a cascading failure to manage properly and transparently from the top down.
USS have today started notifying just under half a million people that #Capita lost their data to Black Basta. USS didn’t include nation insurance numbers taken.. which enables fraud.
Due to legal requirements in the UK, every pension holder in every impacted pension scheme will need to be notified individually - according to media reports, this is up to 350 pension schemes. So this may become the biggest data breach disclosure ever in the UK.
I haven’t pressed publish on this yet, partly as I want to see what Capita disclose. It’s not just pensions.
Colchester City Council has been informed they have a data breach by #Capita. Capita are telling them the data has now been “secured”. Colchester City Council say they have “extreme disappointment with Capita”. https://www.colchester.gov.uk/info/cbc-article/?id=KA-04376
Update: it turns out this was related to the S3 bucket incident.
Interesting detail in the Colchester piece about #Capita - as far as I know, no other local authorities have yet told the ICO, which they are supposed to do within 72 hours.
Btw, if anybody wonders if I’m human and feel sorry for the Capita cybersecurity staff dealing with this - absolutely. I feel awful for them. I’ve always said the technical containment and investigation sounds good.
I suspect there have been people there tearing their hair out. I doubt the decisions to pretend leaked data was public domain, not admit ransomware, say 0.1% of server estate etc came from the immediate responding teams.
Diageo pension fund says their data has been compromised in #Capita breach.
“During the course of April, Capita informed us that they had taken steps to isolate and contain the incident whilst they continued to investigate it. However, on 3 May, Capita told us that it is likely a file containing your data had been compromised.”
The Financial Times reports #Capita are saying it will take them through to the end of May to notify pension funds about breached data - over 2 months since the hack began. https://www.ft.com/content/39b71f11-6628-476f-9876-59697be25fb9
More from FT on the #Capita Black Basta ransomware fall out, questions how much insurance will cover. https://www.ft.com/content/ff150b65-8dc6-48c8-b2e4-6b8fbee4ea03
Lots of new details in Times piece about the cybersecurity woes engulfing Capita. Features my Mastodon thread about the files on #Capita’s own website.
New victims include staff at PWC, Unilever and The Cabinet Office. 11 councils are also investigating the open bucket issue.
https://www.thetimes.co.uk/article/0513205a-f718-11ed-a712-8f47f8e830cf?shareToken=e595f233220e2a4532500771d0175ea9
Non-paywall version if you hit it: https://archive.ph/2023.05.20-234130/https://www.thetimes.co.uk/article/capita-under-fire-after-confidential-files-published-online-7cjh2jj59
UK’s largest pension insurer, Rothesay, has been caught in #Capita breach https://www.rothesay.com/news/newsroom/statement-on-capita-s-cyber-incident/
If you’re wondering why specifically pension companies are disclosing, the Pension Regulator has reminded both them and Capita that there are clear and enforceable legal obligations for pensions.
The #Capita breach involves other data, including UK gov data, which has not been disclosed.
USS customer notification about Capita breach is categorical that pension data was exfiltrated - previous language was around data potentially being accessed https://infosec.exchange/@spzb/110414033883093993
USS pension update is on their website now. Pension data was definitely stolen via #Capita. https://www.uss.co.uk/news-and-views/latest-news/2023/05/05252023_important-update-on-capitas-cyber-incident
The ICO issued an update on #Capita just now, acknowledging the ransomware incident and the open bucket incident.
The BBC report nearly a hundred companies have contacted the ICO so far about #Capita. https://www.bbc.co.uk/news/technology-65746518
What Security Watchdog (owned by #Capita - they're currently mid sale to another company) do. I may have added the final line.
NHS England say they had data breach via #Capita of medical records of two active patients and two deceased patients https://www.england.nhs.uk/2023/06/nhs-england-statement-on-capita-cyber-incident/
Several months later, #Capita have told teachers in Sheffield they may have had a “potential” data breach. https://www.thestar.co.uk/taxonomy/term/2438/taxonomy/term/164/warning-as-sheffield-schools-hit-by-data-leak-after-hackers-target-capita-4177037
Long time readers of this very thread may remember I pointed out the Sheffield teacher breach over 2 months ago. https://doublepulsar.com/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283
Legal proceedings initiated against Capita over data breach. https://www.professionalpensions.com/news/4117931/legal-proceedings-initiated-capita-breach
Miners Pension Fund members have data stolen in #Capita hack - members informed almost 3 months later. https://www.thenorthernecho.co.uk/news/23605752.miners-pension-fund-members-data-stolen-capital-hack/
Remember the #Capita Black Basta ransomware incident from March? It’s still playing out months later - one of the orgs say “We remain concerned at the level of information provided to USS by Capita”
https://www.ucu.org.uk/article/13020/Update-on-USS-Capita-data-breach
Four months in, Capita have finally admitted to its own staff that their data was taken.
Auditors PWC are amongst the many other victims. They say Capita have been unable to provide “final, complete and accurate” information.
In other news, Capita and PWC have just won the contract to provide the UK’s cyber incident reporting platform. https://www.ft.com/content/52130b83-6ad7-474c-aaf7-88a549dc85e3
The Times reports #Capita staff saying Capita “played down” the ransomware/extortion during internal meetings and reported that executives said that “attacks happened to all organisations” and “it is just a small breach”. https://www.thetimes.co.uk/article/capita-admits-hackers-also-stole-staffs-personal-details-jjkw3r7rs
Capita’s CEO has announced he is retiring. Capita say he had stayed on to deal with the ransomware/extortion incident.
The Times ran the headline “Capita boss heads for exit with turnaround finished” attached to a puff piece, so I just checked on how #Capita are doing. Good that the turnaround is finished. A story in 4 pictures.
In #Capita’s financial results they say “minimal impact from cyber incident”, in a call with investors they described it as a non-event.
Good luck to Capita’s clients. 🫡
Capita's share price is down 18% today. Or as Capita call it, 0.1% effected by a Happy Little Non-Event.
Just over 2000 people are taking legal action against #Capita, including some of its own employees.
Note this report contains factual inaccuracies as it relies on Capita’s version of events.
https://www.theregister.com/2023/09/13/capita_class_action_2000_claimants/
- replies
- 0
- announces
- 0
- likes
- 0
30k school pupil records were exfiltrated as part of the Capita hack, but the Department of Education doesn’t appear to have told parents. https://schoolsweek.co.uk/hackers-steal-pupils-details-from-capita/
4000% increase in pension scheme breaches reported to the ICO in the UK this year.
Capita never disclosed the number of pension schemes impacted their end but I’ve heard it was… a lot.
https://www.pensionsage.com/pa/UK-pension-schemes-record-4000-pc-rise-in-cyber-security-breaches.php
Just over 5k people are suing Capita at the High Court over their ransomware data breach. Discovery on this one should be incredible.
Capita are saying, regarding their court case, that there is no evidence that data stolen was publicly available. They may want to tell the people who were directly impacted. https://www.thetimes.co.uk/article/how-hackers-are-recruiting-on-the-dark-web-mpl2hvsss
It’s been almost a year since the #Capita ransomware incident began. Here’s how the new CEO describes it in their yearly update.
There’s now some careful rewording around data exfiltration and “recovery activities” of said data.
The exact amount they book for incident response and recovery is £25.3m, and they do not mention if insurance will cover. Overall the business has booked a £106.6m loss for the year.
#Capita cut the pension business out of their operational KPIs, citing the impact of the ransomware incident.
#Capita’s new CEO has refused to say if they paid Black Basta ransomware group last year (they did). https://www.thetimes.co.uk/article/capita-in-the-red-as-more-cuts-announced-mrs9gkx97
This thread is almost 1000 days old and getting a resurrection. #Capita have been fined £14m by the ICO over their ransomware incident.
Lots of big details in the fine, including over 1tb of data stolen (as detailed in this Mastodon thread at the time), confirmation of Qakbot and my blog etc.
Their SOC was wildly understaffed. It took attacker 4 hours to get domain admin due to poor security practices. Lots of learnings for large orgs.
Capita had the PII of 6 million people exfiltrated.. but aren’t exactly sure how many still.
Additionally, they already had a major security incident running and external IR in before the encryption - while this incident was running, the attacker stole a terabyte of data over several days. The cause? No containment. They didn’t contain when they knew the attacker was on the network.
Here’s the data stolen. This included my data, as I had used their employee vetting scheme at the time (for a different company). #Capita
Capita says their systems had Nessus vulnerability scans. The ICO notes this is not a silver bullet, and that recurring penetration tests should take place. It found the business unit with exfiltrated data never had a pen test. #Capita
@GossiTheDog er. That's a *lot*.
Iirc CVV/CVCs are not to be stored by anyone except card issuer once the transaction is done, so that's possibly also going to be headache land for them
https://blog.pcisecuritystandards.org/faq-can-cvc-be-stored-for-card-on-file-or-recurring-transactions
@GossiTheDog the number of places I've been to which run Nessus on a regular basis and then never actually fix anything is insane. I spent two years working at another large IT company. Every month I ran a Nessus scan and issued a report to management. That report was pretty much the same every month.
Capita had written down that it responds to all P2 alerts in its SOC with 45 minutes. It actually took them several days to reach the initial alert. They were never reaching their internal SLA.
They argued with the ICO that it is not able to regulate its internal SLAs and its regulatory overreach.. the ICO took a different view.
@GossiTheDog I'm just dumped as the even WHAT type of data is collected and then stored forever ... ridiculous.
@GossiTheDog Oh, well at least it wasn't anything sensitive like your
• Address;
• International address;
• Email address;
• Phone number;
• Date of birth;
• Child data;
• National Insurance (“NI”) number;
• Driver's licence / driver's licence scan;
• Passport number / passport scan;
• Photo ID scan;
• Other national ID / numbers;
• Bank account numbers and sort codes;
• Personal International Bank Account Number ("IBAN");
• Credit card number / credit card scan;
• Debit card number and CVV / debit card scan;
• Biometrics;
• Employee login details;
• Copies of signatures.
• Health information;
• Medical numbers;
• Racial/ethnic origin;
• Political beliefs;
• Religious/philosophical beliefs;
• Trade union membership;
• Sexual orientation;
• Criminal records ("CRB") checks.
The ICOs view is orgs should be treating CobaltStrike as a P1 and immediately isolate systems pending investigation. #Capita
Capita claim none of the exfiltrated data was available on the dark web - which is actually false if you read this thread, The Times got data from the portal and called the victims (teachers Capita vetted).
Nevertheless, the ICO doesn’t agree anyway - there is still a risk of harm even if you pay the ransom and try to cover up the data theft, basically.
@GossiTheDog Capita used to run the Public Sector Recruitment (PSR) for the UK Gov (framework for hiring contractors). Admittedly quite a while ago now. Don’t suppose you know whether this breach touches that?
The ICO note Capita sell a Managed SOC service to the UK government.. but failed to run its own SOC properly. #Capita
The ICO finds the Capita was negligent when it comes to cybersecurity, particularly highlighting the SOC and Active Directory security. #Capita
@GossiTheDog I think this should find its way into SOC best practice documents, stat.
The full Capita report is available here:
https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf
A significant portion of the report is Capita arguing with the ICO that it doesn’t have the remit, and the ICO saying “Sure Jan” and then Capita agreeing the fine.
Tl;dr love your SOC. And fix Active Directory. The threat actor actually deployed BloodHound before Capita. And don’t try to cover up your breaches.
@GossiTheDog How much do you think companies should be spending to staff their SOC? Every dollar they make? Sorry it's just nuts how expensive all this is.
