Black Basta, the extortionists who claimed they were the ones who lately broke into Capita, have reportedly put up for sale sensitive details, including bank account information, addresses, and passport photos, stolen from the IT outsourcing giant.
A spokesperson for the London-based corporation, which has UK government contracts totaling £6.5 billion ($8 billion), said it hasn’t yet confirmed if that data leak is legit.
“We continue to work closely with specialist advisers and forensic experts in investigating the incident,” a Capita spokesperson told The Register.
“We are in constant contact with all relevant regulators and authorities. Our investigations have not yet been able to confirm any evidence of customer, supplier, or colleague data having been compromised.”
Those regulators and authorities include the UK’s Information Commissioner’s Office, and an ICO spokesperson confirmed Capita had reported a network intrusion, sorry, “incident” to the data watchdog. “We are assessing the information provided,” the ICO spokesperson told The Register.
Once it finalizes its own probe, Capita said it will “if necessary” inform all parties affected in the security breach.
“We have taken all appropriate steps to ensure the robustness of our systems and are confident in our ability to meet our service delivery commitments,” the spokesperson said.
The technology outsourcer at first confirmed it had suffered an “IT issue” late last month, though didn’t cop to it being a “cyber incident” until April 3.
Over the weekend, the Sunday Times claimed the IT breach was worse than Capita has admitted to date: Capita has played down fears that personal and corporate information was accessed, though it appears the miscreants who broke into the business have started selling off that very kind of data, said to be lifted from Capita’s systems.
Information listed for sale by Black Basta, according to the newspaper, includes people’s phone numbers, home addresses, and details on more than 100 bank accounts, along with personal data belonging to teachers’ applying for jobs at schools.
The crooks claimed the information is merely a sample of what they’ve stolen from Capita, though as of this weekend, the link to buy the supposedly purloined documents didn’t work, we’re told.
According to infosec watcher Kevin Beaumont, the data listed for sale also included a Capita Nuclear document, papers marked confidential, internal floor plans of multiple buildings, and security vetting for customers.
This is alarming because the IT firm provides a huge number of services for Blighty’s National Health Service organizations, as well as the British Army, Royal Navy, and fire and rescue operations for the Ministry of Defence, among other public and private organizations, including O2.
It’s also a study in how not to handle incident response, Beaumont said, citing the lack of transparency from Capita about the intrusion from the get-go.
“Capita’s customers and regulators should be asking Capita to explain this – on the record and in writing,” Beaumont wrote, adding that while they still have time to change course, “the clock is ticking.”
“Failing to disclose the loss of personal data can have serious financial and reputation damages — in short, do not cover up ransomware and extortion incidents or you may end up the case history of how not to respond,” he reminded world-plus-dog. There is no suggestion of wrongdoing by Capita. ®