What Capita’s cyber security breach likely means for IT contractors

Global titan of the outsourcing industry, Capita Plc, is currently under fire due to a cyber attack on March 22nd 2023, with potential implications for IT contractors, writes Mel Hzeg of Gerrish Legal.

What is the context of the Capita data breach?

After initially claiming that it was just experiencing IT issues, Capita has since confirmed that it was hacked by an unknown entity.

While Capita understandably spent a few days trying to regain access to its servers and get back to business, it originally issued a statement saying, “there is no evidence of customer, supplier or colleague data having been compromised.”

Since then however, the company has conceded that “some data was exfiltrated” – albeit less than 0.1% of its server estate – and it has taken “extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate.” So if you’re a customer, supplier or colleague of Capita, you could be affected.

Shocking, poor, and timely

Until further updates from the company reassure otherwise (the last update was on May 10th), it is shocking that Capita, with high level clients such as the NHS and the Ministry of Defense, has shown to have such poor cybersecurity to allow this attack to happen.

Indeed, announcing last week that the incident will cost the company up to £20 million, Capita said part of that price tag reflected the need to “reinforce” its “cyber security environment.”

That same update from Capita spoke of the company ‘notifying those affected.’ Even so, we’d advise that, if you’re a colleague, supplier or customer of Capita, it would be wise to take proactive steps in anticipating the worst-case scenario, as we wait for Capita’s investigation to conclude.

The Information Commissioner’s Office (ICO) has confirmed that Capita reported the incident in a timely manner and so a separate, ICO investigation is underway.

What do data breaches like Capita’s mean for IT contractors?

As an outsourcing company, the hiring of contractors to work on specific projects on a short-term basis is Capita’s bread and butter. This means that contractors could find themselves to be one of the most vulnerable groups, now that we know there was a data breach.

Depending on the nature of the breach, contractors’ personal and/or professional information could be compromised such as names, passwords, IP addresses and credentials.

These pieces of data in the wrong hands could lead to identity theft and financial loss. While it remains unclear whether the exfiltrated data was sensitive, the reputational damage to Capita is already clear as day.

Capita’s share price fell over 20% from a pre-breach high, indicating that investors are less-than-confident about the company showing a poor cybersecurity defense. This should concern Capita’s contractors too, as they now see a major professional ally and partner being a risky bet.

Separately, in early April this year, US-based data storage devices-maker Western Digital was hit with a major security breach and the cyber-criminals gained access to sensitive data.

Steps to take as a concerned contractor…

This recent trend of cyberattacks is not showing signs of slowing down, and the more it happens, the more contractors will have to be cautious when it comes to the companies they choose to work on behalf of. The chosen company’s cybersecurity should be a massive factor for contractors.

Under data protection regulations, organisations are legally bound to demonstrate that they have taken all the necessary steps to protect personal data.

If there is a data breach, persons who have suffered from this can seek legal action to claim compensation. Often times, many people will be concerned by a data breach, therefore all of the victims can group their claims into one, single case for reasons of simplicity and efficiency.

Four top tips if you’re affected by Capita’s data breach

If it’s too late for you to avoid the Capita data breach, it’s never too late to react sensibly, so here are four tips to take onboard to help minimise potential damage:

1. Change your passwords: Usually passwords are used to access sensitive data, therefore changing them after a data breach is important to ensure that this data cannot even be accessed. It is important to have a unique password of at least 8 characters, mixing letters, numbers and symbols.
2. Check for updates from the company: Capita is required to update affected people and companies, therefore you regularly checking emails or statements on their website is a must. Furthermore, the findings of the ICO investigation will be published on their website, so it’s important to not only listen to Capita -- the victim in this instance, but to the regulator too.
3. Watch your accounts and freeze your credit: If your sensitive credit card information was at risk of being part of the Capita breach, it is important to be extremely vigilant with regards to irregular transactions on your account. You may also want to freeze your credit to prevent wrongdoers from opening a new account in your name. If you have lost money, you should tell your bank and report the crime to actionfraud.police.uk.
4. Call or write directly to the ICO if you have further concerns, so you can talk to an adviser.

For reference, Capita has said that the “unauthorised intrusion” by parties as yet unidentified “was interrupted by Capita which resulted in the impact of the attack being significantly restricted.”

The company added: “Capita expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment. Capita has also taken further steps to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments.”