Russian hackers exfiltrated data from from Capita over a week before outage
Russian hackers exfiltrated data from from Capita over a week before outage
Capita have finally admitted a data breach, but still do not think they need to disclose key details of the incident to customers, regulators, impacted parties and investors. So in this piece we shall dig into the details using open source intelligence, and prove Capita was penetrated by Black Basta ransomware group using Qakbot phishing to deliver hands on keyboard access for weeks — and question if the playbooks organisations are using to handle ransomware groups are fit for purpose in 2023.
Almost two weeks ago, I wrote a piece called “Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response”. The piece documented how, from the start of the incident, Capita failed to disclose key details to stakeholders — and directly evidenced a Russian based double extortion (ransomware) group were serving stolen Capita customer data.
Off the back of that piece, Capita still failed to issue any update to markets or investors, failed to acknowledge ransomware, failed to acknowledge the link to Black Basta, ignored the problem for a week, and then tried to pretend to press that data leaked by the ransomware group may be “public domain”. Black Basta’s data was obviously not public domain data, and it is sadly very clear Capita have a serious situation they are failing to disclose properly, or attempting to wordsmith around.
Why does this matter? Capita handle £6.5billion of UK government contracts. They have multiple business units running national security level importance functions — for example, they run the SC and DV security clearance process as part of the National Security Vetting, directly collecting personal information for high risk UK government roles — under the banner Security Watchdog — a business which Capita own and is directly impacted by this incident. Capita are currently selling Security Watchdog to another company:
Capita have finally admitted a data breach, but still do not think they need to disclose key details of the incident to customers, regulators, impacted parties and investors. So in this piece we shall dig into the details using open source intelligence, and prove Capita was penetrated by Black Basta ransomware group using Qakbot phishing to deliver hands on keyboard access for weeks — and question if the playbooks organisations are using to handle ransomware groups are fit for purpose in 2023.
Almost two weeks ago, I wrote a piece called “Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response”. The piece documented how, from the start of the incident, Capita failed to disclose key details to stakeholders — and directly evidenced a Russian based double extortion (ransomware) group were serving stolen Capita customer data.
Off the back of that piece, Capita still failed to issue any update to markets or investors, failed to acknowledge ransomware, failed to acknowledge the link to Black Basta, ignored the problem for a week, and then tried to pretend to press that data leaked by the ransomware group may be “public domain”. Black Basta’s data was obviously not public domain data, and it is sadly very clear Capita have a serious situation they are failing to disclose properly, or attempting to wordsmith around.
Why does this matter? Capita handle £6.5billion of UK government contracts. They have multiple business units running national security level importance functions — for example, they run the SC and DV security clearance process as part of the National Security Vetting, directly collecting personal information for high risk UK government roles — under the banner Security Watchdog — a business which Capita own and is directly impacted by this incident. Capita are currently selling Security Watchdog to another company: