London-based professional outsourcing giant Capita has published an update on the cyber-incident that impacted it at the start of the month, now admitting that hackers exfiltrated data from its systems.
More specifically, the firm has found, with the help of security specialists, that hackers accessed roughly 4% of its server infrastructure and stole files hosted on the breached systems.
“The incident was significantly restricted, potentially affecting around 4% of Capita’s server estate,” reads Capita’s statement.
“There is currently some evidence of limited data exfiltration from the small proportion of affected server estate, which might include customer, supplier, or colleague data.”
The company will continue its investigation of the cyber-incident and provide timely updates if evidence that shows an impact on customers, suppliers, or colleagues arises.
Alleged BlackBasta ransomware attack
On March 31, 2023, Capita disclosed an IT issue that impacted its services. Three days later, the company announced that the outage was caused by a cyberattack that prevented access to its internal Microsoft Office 365 applications.
At the time, Capita did not provide many details about the nature of the cyberattack. However, its impact was evident in the reduced availability of client systems, including state organizations in the UK.
According to the latest update, the initial unauthorized access to Capita’s systems occurred on March 22, 2023, and remained uninterrupted until the firm realized the breach on March 31, 2022.
On April 17, 2023, the Black Basta ransomware gang posted Capita on its extortion portal on the dark web using a private link, threatening to sell stolen data to interested buyers unless the victim paid the ransom.
Black Basta posting Capita on its Tor website (Dominic Alvieri)
The data samples Black Basta posted at the time include personal bank account details, physical addresses, passport scans, and other sensitive information.
The company did not provide public comment on the allegations of the Black Basta hackers and has not mentioned anything about ransomware in its recent statement, so the validity of these claims remains unconfirmed.
Capita’s entry on Black Basta’s extortion site remains private, which might mean that the ransom payment is currently being negotiated.
BleepingComputer has contacted Capita to request a comment about Black Basta’s allegations and whether or not they have communicated with the threat actors, but a spokesperson declined to provide an answer.
Update 4/21 – Post updated to correct a factual error regarding Capita’s entry on Black Basta’s extortion site