Capita, a UK-based outsourcing and professional services provider, suffered a **Black Basta ransomware attack** in **March 2023**, exposing the personal data of **6.6 million individuals** and impacting **hundreds of clients**, including **325 UK pension schemes**. Hackers gained access via a malicious file downloaded by an employee, exploiting weak security controls—such as **poor access management, delayed incident response (58-hour delay in isolating the infected device), an understaffed SOC, and lack of penetration testing**. Over **1TB of data** was exfiltrated before ransomware was deployed, locking systems and resetting all user passwords. The **UK’s ICO fined Capita £14 million** (reduced from £45 million) for failures in data protection, though the company later improved security measures. The breach disrupted services for **local councils, the NHS, and the Ministry of Defense**, among others, and involved **sensitive pension and employee data leaks**.
TPRM report: https://www.rankiteo.com/company/capita
"id": "cap2002120101625",
"linkid": "capita",
"type": "Ransomware",
"date": "3/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Hundreds of clients, including '
'325 UK pension scheme providers',
'industry': ['Consulting',
'Digital Services',
'Software',
'BPO'],
'location': 'UK (primary), Europe',
'name': 'Capita plc',
'size': '34,000 employees, £3B annual revenue',
'type': 'Outsourcing/Professional Services'},
{'customers_affected': '325 UK pension scheme providers',
'industry': 'Financial Services',
'location': 'UK',
'name': 'Capita Pension Solutions Limited',
'type': 'Subsidiary (Pension Services)'},
{'customers_affected': "Indirect impact via Capita's "
'services',
'location': 'UK/Europe',
'name': 'Clients of Capita (e.g., Local Councils, NHS, '
'Ministry of Defense, Banking, Utilities, '
'Telecom)',
'type': ['Government',
'Healthcare',
'Financial Services',
'Utilities',
'Telecommunications']}],
'attack_vector': 'Malicious File Download (Phishing/Social Engineering)',
'customer_advisories': 'Data protection services offered to affected '
'individuals',
'data_breach': {'data_encryption': 'Yes (ransomware deployed on 2023-03-31)',
'data_exfiltration': 'Yes (~1TB of data exfiltrated between '
'2023-03-29 and 2023-03-30)',
'number_of_records_exposed': '6.6 million individuals',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Personal Information',
'Pension Scheme Data',
'Corporate Files']},
'date_detected': '2023-03-22',
'date_publicly_disclosed': '2023-04-00',
'description': 'The Information Commissioner’s Office (ICO) in the UK fined '
'Capita £14 million ($18.7 million) for a 2023 data breach '
'that exposed the personal information of 6.6 million people. '
'The Black Basta ransomware gang claimed responsibility, '
'exfiltrating nearly 1TB of data and deploying ransomware '
'after gaining access via a malicious file downloaded by an '
"employee. Capita's delayed response (58 hours to isolate the "
'infected device) and poor security practices (e.g., lack of '
'tiered admin controls, understaffed SOC) exacerbated the '
'incident. The breach impacted hundreds of clients, including '
'325 UK pension scheme providers.',
'impact': {'brand_reputation_impact': 'Significant (high-profile breach, '
'regulatory fines, public disclosure)',
'data_compromised': "6.6 million individuals' personal information",
'downtime': 'Systems taken offline during response; user passwords '
'reset on 2023-03-31 (locking out staff)',
'financial_loss': '£14 million ($18.7 million) in ICO Fines '
'(Reduced from £45 million)',
'identity_theft_risk': 'High (personal data of 6.6M individuals '
'exposed)',
'legal_liabilities': 'ICO fines (£8M for Capita plc, £6M for '
'Capita Pension Solutions Limited)',
'operational_impact': 'Disruption to services for hundreds of '
'clients, including 325 UK pension scheme '
'providers',
'systems_affected': '4% of Capita’s internal IT infrastructure '
'(including Microsoft 365 environment)'},
'initial_access_broker': {'backdoors_established': 'Yes (hackers gained admin '
'permissions and lateral '
'movement)',
'data_sold_on_dark_web': 'Likely (Black Basta '
'threatened to leak data '
'if ransom unpaid)',
'entry_point': 'Malicious file downloaded by '
'employee (phishing/social '
'engineering)',
'high_value_targets': ['Pension scheme data',
'Administrator credentials',
'Sensitive corporate files']},
'investigation_status': 'Completed (ICO investigation concluded with fine)',
'lessons_learned': ['Critical importance of timely incident response (58-hour '
'delay worsened impact)',
'Need for tiered admin access controls and regular '
'penetration testing',
'Adequate SOC staffing and risk management are essential',
'Proactive communication with regulators can mitigate '
'fines (fine reduced from £45M to £14M)'],
'motivation': 'Financial Gain (Ransom Demand, Data Exfiltration for Leverage)',
'post_incident_analysis': {'corrective_actions': ['Security improvements '
'(unspecified details)',
'Data protection services '
'for affected individuals',
'Settlement with ICO and '
'acceptance of liability',
'Investment in '
'cybersecurity '
'strengthening (per CEO '
'statement)'],
'root_causes': ['Delayed containment (58-hour gap '
'between detection and isolation)',
'Lack of tiered admin access '
'controls',
'Understaffed Security Operations '
'Center (SOC)',
'Inadequate penetration testing '
'and risk management',
'Employee susceptibility to '
'phishing/malicious files']},
'ransomware': {'data_encryption': 'Yes (deployed on 2023-03-31)',
'data_exfiltration': 'Yes (~1TB)',
'ransom_paid': "No (based on Black Basta's leak threats)",
'ransomware_strain': 'Black Basta'},
'recommendations': ['Implement multi-layered access controls (e.g., '
'zero-trust model)',
'Enhance SOC capabilities (staffing, tools, 24/7 '
'monitoring)',
'Conduct regular penetration testing and red team '
'exercises',
'Improve employee training on phishing/malicious file '
'risks',
'Establish clearer incident response escalation '
'protocols'],
'references': [{'source': 'Information Commissioner’s Office (ICO) - Capita '
'Fine Announcement'},
{'source': 'Capita plc - Public Disclosure (April 2023)'},
{'source': 'Black Basta Ransomware Gang - Leak '
'Site/Statements'}],
'regulatory_compliance': {'fines_imposed': '£14 million (£8M for Capita plc, '
'£6M for Capita Pension Solutions '
'Limited)',
'legal_actions': 'ICO investigation and penalty',
'regulations_violated': ['UK GDPR',
'Data Protection Act 2018'],
'regulatory_notifications': 'ICO disclosure'},
'response': {'communication_strategy': ['Public disclosure in April 2023',
'CEO statement on settlement with ICO',
'Advisories to clients and pension '
'scheme providers'],
'containment_measures': ['Systems taken offline',
'User passwords reset (2023-03-31)',
'Delayed isolation of infected device '
'(58-hour gap)'],
'enhanced_monitoring': 'Likely implemented post-incident (not '
'specified)',
'incident_response_plan_activated': 'Yes (partial; delayed '
'containment)',
'law_enforcement_notified': 'Yes (ICO investigation)',
'remediation_measures': ['Security improvements post-incident',
'Data protection services offered to '
'exposed individuals']},
'stakeholder_advisories': 'Issued to clients (e.g., pension scheme providers, '
'local councils, NHS)',
'threat_actor': 'Black Basta Ransomware Gang',
'title': 'Capita Data Breach and Ransomware Attack (2023)',
'type': ['Data Breach', 'Ransomware Attack'],
'vulnerability_exploited': ['Poor Access Controls (Lack of Tiered Admin '
'Account Model)',
'Delayed Response to Security Alerts',
'Understaffed Security Operations Center (SOC)',
'Lack of Regular Penetration Testing',
'Inadequate Risk Management Exercises']}