Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Data Breaches

Capita Confirms Data Breach After Ransomware Group Offers to Sell Stolen Information

Capita finally confirmed that hackers stole data after the Black Basta ransomware group offered to sell information allegedly stolen from the company.

Capita ransomware

UK-based business process outsourcing and professional services company Capita has confirmed that hackers have stolen data from its systems after a well-known ransomware group offered to sell information allegedly stolen from the organization.

The incident came to light on March 31, when Capita said it was experiencing a major IT incident that prevented staff from logging into their systems. The company told the press at the time that it was too early to confirm that it was a cyberattack. However, information that came to light later showed that the company likely knew it was dealing with a cybersecurity incident. 

Capita is one of the largest business outsourcing providers in the UK and its services are used by the country’s government. A major data breach could have significant implications. 

On April 3, Capita confirmed that it had experienced a cyber incident that prevented access to internal applications, which caused disruption to some services. The company said at the time that the “issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised”.

On April 8, the Black Basta ransomware group listed Capita on its leak website and shared some files as proof that they exfiltrated data from its systems. The leaked files stored personal and financial information and the hackers were apparently hoping to find a buyer for the data rather than hoping that the victim would pay a ransom. 

It took Capita until April 20 to confirm that some of its systems were in fact breached and that data had been stolen. 

“From our investigations to date, it appears that the incident arose following initial unauthorised access on or around 22 March and was interrupted by Capita on 31 March,” the company said in a statement on Thursday. “As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate. There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”

Advertisement. Scroll to continue reading.

The fact that Capita was dealing with a cyberattack on March 31 shows that the company likely knew about the nature of the incident, but refused to disclose it. It’s possible that the intrusion was discovered on March 31 because the attacker attempted to encrypt files on Capita systems. 

Cybersecurity researcher Kevin Beaumont has criticized Capita for its attempt to downplay the incident to both the public and investors. 

Beaumont reported that the data obtained by Black Basta included passport and driver’s license scans, payment details, floor plans for multiple buildings, employment screenings, and employment offer information.

The researcher pointed out that in a statement provided to the BBC this week the company still said it had no evidence of sensitive data being compromised. Beaumont learned that the company told the same thing to investors earlier this week. 

Capita issued the statement confirming a data breach shortly after Beaumont announced plans to release a blog post detailing the hack.

Beaumont said Capita’s systems were likely compromised as a result of a Qakbot email campaign launched on March 21 — in its latest statement the company confirmed being breached on March 22. 

Qakbot, aka Qbot and Pinkslipbot, is a banking trojan that has been used by the Black Basta ransomware group to gain initial access to their targets.

Related: Ransomware Attack Hits Health Insurer Point32Health

Related: Payments Giant NCR Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.