Capita, the UK-based outsourcing company that suffered a ransomware attack in March, is facing complaints from customers after it emerged that another data breach had occurred.
Colchester City Council, which uses Capita for financial services, has accused the company of “unsafe storage of personal data” over a historical incident that predates the ransomware attack. Rochford District Council has also issued a statement and is “working closely with Capita to deal with this matter and to understand how the data breach from the company occurred”.
As reported by TechCrunch, Capita had for seven years left thousands of customer files exposed online in an unprotected Amazon Web Services S3 bucket that did not even require a password to access.
Although a Capita spokesperson said that the data was now secure and no longer accessible, the company has not explained how many of its clients were affected. Colchester City Council said “several local authorities around the country” were impacted. The Information Commissioner’s Office has been notified.
The complaints come as Capita is dealing with the aftermath of the ransomware attack in March. The cost of responding to that attack could be up to £20m ($25m). Capita did not respond to questions about whether it had paid a ransom fee to the Black Basta cybercrime group, which has since removed the company’s listing on its darknet site.
A number of pension providers in the UK have been affected by the attack, with the country’s Pensions Regulator writing to hundreds of pension funds to tell them to check whether clients’ data had been stolen.
Data regarding around 470,000 members of the Universities Superannuation Scheme (USS) is feared to have been accessed. The USS said names, dates of birth, and national insurance numbers were held on the Capita servers accessed by the hackers.
Although Capita initially stated that there was “no evidence of customer, supplier or colleague data having been compromised,” it later confirmed that some data was exfiltrated from less than 0.1% of its server estate. Capita’s share price has dropped more than 18% since the day before the incident was first reported.
