Capita hit by new data breach incident

Capita is embroiled in a new data breach incident, as its client Colchester Council accused the outsourcer of “unsafe storage of personal data”.

Colchester Council said it had expressed “extreme disappointment with Capita” following revelations of a “serious data breach” after files which include benefits data for 2019-20 and 2020-21 were found on an unsecured Amazon Data Bucket controlled by Capita.

The council said the outsourcer had “failed to maintain the necessary standards for data protection” but that Capita had informed it that there was no evidence of any malicious use of the data.

The council said it was “considering what further action may be appropriate regarding Capita”, adding that it understood the incident had affected several other local authorities around the country.

Capita delivers services to a number of local authorities including Colchester, Barking and Dagenham, and Barnet. Data belonging to schools in Sheffield was leaked following the Capita hack in March.

The latest revelation comes as the effect of the cyber attack in March continues to reverberate. Capita wrote to its pension trustee clients last week that its investigation into the hack is “unfortunately taking longer than previously estimated”.

“The analysis remains a complex, labour intensive exercise, and as a result this places risk on planned timescales,” Capita said, adding it was “hesitant to offer a fixed date on which we expect the analysis to be complete” but was targeting “on or around” May 27.

Among Capita’s pension plan clients, USS — the UK’s biggest private sector pension plan — earlier this month warned that the personal data of about half a million members may have been stolen during the cyber attack.

Capita also provides a range of services to departments within central government including the Ministry of Defence. The outsourcer administers recruitment for the army as well as training for the Royal Navy and defence fire and rescue services.

A government spokesperson said: “We are aware of the cyber incident which affected Capita and are in regular contact with the company. The issue primarily affected internal processes with minimal impact on government services.”

However, the MoD has increased protection and monitoring of its connections with Capita, according to a person familiar with the matter.

In a parliamentary debate last week, MP Jeremy Quin said the cabinet office, the Financial Conduct Authority and the National Cyber Security Centre were working with Capita to understand the risks to government data following the hack.

A spokesperson for Capita said the company was “working with our third-party technical advisers to investigate” the latest revelation of a data breach involving Colchester Council, adding that the historic data was “secure and no longer accessible”. The outsourcer declined to comment on its internal investigation on pension plan client data.