Attackers had unauthorised access for nine days, outsourcing firm announces

Major government supplier Capita has announced that customer data may have been stolen during a cyberattack in which intruders had access to the outsourcing firm’s systems for nine days.

In an update published today, the IT and services company said that it believes attackers gained “unauthorised access on or around 22 March”.

This access was not “interrupted” until 31 March, during which time an estimated 4% of Capita’s servers were impacted, a figure which the claimed demonstrated that “the incident was significantly restricted” by its interruption.

The outsourcer added, however, that there are indications that some data was extracted from its systems – potentially including information on public-sector customers.

“There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data,” the update said. “Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner.”

The company said that the primary impact of the incident was a restriction of employees’ internal access to Microsoft Office 365 applications – although some client services were disrupted, a small number of which may still be feeling the after-effects, today’s announcement suggested.

“Since the incident, Capita and its technical partners have restored Capita colleagues’ access to Microsoft Office 365,” it said. “The majority of Capita’s client services were not impacted by the incident and remained in operation, and Capita has now restored virtually all client services that were impacted.”

The statement added: “In parallel with the services restoration activity, Capita has continued to work closely and at speed with specialist advisers and forensic experts in investigating the incident to provide assurance around any potential customer, supplier or colleague data exfiltration.”

The update concluded that “Capita continues to comply with all relevant regulatory obligations” in relation to the incident, which was publicly announced on 3 April – the Monday after the attack had been interrupted on Friday 31 March.

The outsourcing outfit is one of the public sector’s biggest technology providers, holding billions of pounds of government contracts, and featuring on the Crown Commercial Service’s list of strategic suppliers – which contains 40 of Whitehall’s most significant commercial partners.

Shortly after the Capita attack was first revealed, the government said that it believed there had been “minimal impact on government departments” and that it was “in regular contact with the company” for further updates.

Following the announcement of possible theft of customer data during the incident, PublicTechnology contacted the Cabinet Office – which issued a near-identical statement as it did several weeks ago.

“We are aware of the cyber incident which affected Capita and are in regular contact with the company,” a government spokesperson said. “The issue primarily affected internal processes with minimal impact on government services.”

apita’s largest public-sector engagements include a contract to carry out health and disability assessments on behalf of the Department for Work and Pensions. The deal was initially signed 11 years ago and was most recently to extended until 31 July of this year, an extension that takes the contract’s total value to more than £550m.

Other major deals held by the firm include a £107m contract with the Department for Education to support the provision of national curriculum tests and a £45m three-year deal to provide training services to military personnel, as well as a large number of smaller deals with customers across the public sector, including various local authorities and NHS organisations.