UK-based business process outsourcing and professional services company Capita said on Wednesday that it expects to incur costs ranging between roughly £15 million ($19 million) and £20 million ($25 million) as a result of the recent cybersecurity incident, but it has not clarified whether that includes a ransom payment to the hackers.
The breach came to light on March 31, when Capita said it was experiencing a major IT incident that had been causing disruptions, but it took until April 3 for the company to confirm that the cause was a cyberattack.
Capita initially said there was no evidence of customer or other information getting compromised, but confirmed that files were stolen from its systems on April 20, days after a ransomware group named Black Basta started leaking information allegedly stolen from the company.
The leaked files stored personal and financial information and the hackers were apparently hoping to find a buyer for it.
Capita is one of the largest business outsourcing providers in the UK and its services are used by the government.
In its latest update on the cybersecurity incident, the company said it determined that data was stolen from less than 0.1% of its server estate — it previously said that 4% of its servers were impacted.
“Capita has taken extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident,” the company stated.
It added, “Capita expects to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment. Capita has also taken further steps to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments.”
It’s unclear if the amount also includes a ransom payment made to the cybercriminals, but there is some evidence suggesting that the company has reached an agreement with the attackers.
The company has refused to provide clarifications when contacted by SecurityWeek. Investors were also not given a clear answer during a recent webinar, but the way the response was worded suggested there was a settlement.
In addition, the hackers completely removed the company’s name from their leak website and they refused to answer any questions when contacted by researcher Kevin Beaumont.
It’s not uncommon for organizations to pay significant amounts of money in response to ransomware attacks. The San Bernardino County Sheriff’s Department in California admitted recently that it made a $1.1 million payment to resolve a ransomware attack targeting its network.
Related: Ransomware Group Claims Attack on Constellation Software
Related: Western Digital Confirms Ransomware Group Stole Customer Information