Around 90 organizations have reported breaches of personal data held by Capita, an outsourcing giant, to the Information Commissioners Office (ICO), following a cyber attack in March and the subsequent discovery that Capita had left a pool of data unsecured online. Hundreds of thousands of people are now being warned that they could have been affected by the hack. Capita said it has taken steps to secure the data. Capita is used by a large number of public and private organizations and handles the personal information of millions of people. Many company pension schemes administer payments through Capita and its clients also include councils.
In light of the recent report by a recent report by the Information Commissioners Office (ICO), around 90 organisations have reported breaches of personal data held by Capita, the outsourcing giant. This comes after the company suffered a cyber attack in March this year, and it was later discovered that Capita had left a pool of data unsecured online. As a result, hundreds of thousands of people are now being warned that they could have been affected by the hack.
Capita is used by a large number of public and private organisations, and they handle the personal information of millions of people. Many company pension schemes administer payments through Capita, and its clients also include councils. Therefore, the potential impact of the data breach is significant.
Capita is facing two issues. The first was the cyber attack earlier this year, followed in May when news broke that Capita had left a repository of files unsecured online. Capita has stated that it has taken steps to secure the data and is working closely with specialist advisers and forensic experts to investigate the cyber incident.
Security researcher Kevin Beaumont told the BBC that the first incident, which he is “very confident” was a ransomware attack, was significant because of the breadth of data potentially at risk which could expose victims to fraud. Mr Beaumont alerted Capita to the second issue, which left files unsecured online, in April, but it only emerged publicly the following month.
The ICO is encouraging organisations to see if personal data they hold has been affected by the attack or by the exposed data. Personal data is defined as information that relates to a particular individual or could be used to identify someone, such as a name or an address. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedom.
The cyber attack in March hit a number of pension funds which use a Capita system called Hartlink. The Universities Superannuation Scheme (USS) pension fund, the UK’s main pension fund for universities, is in the process of writing to all its 500,000 members to inform them their data was at risk.
The potential impact of the data breach is significant, and organisations must take steps to secure their data and notify the ICO of any breaches. As more and more personal data is stored online, it is essential that companies take cybersecurity seriously and take all necessary measures to protect their customers’ data.