IT outsourcing giant, Capita, is investigating an IT breach that is said to have exposed sensitive customer and corporate data, including passport photos and bank account details, according to The Register. Black Basta, the group that claims responsibility for the breach, reportedly tried to sell off some of the stolen data.
Capita, which has UK government contracts worth £6.5bn, has said that it has not yet confirmed whether the data leak is legitimate, though it is working closely with forensic and specialist advisers to investigate. The company has played down fears that personal and corporate information was accessed, though a spokesperson for the company said that it will notify all parties if it discovers that the security breach has compromised any data.
Information listed for sale by Black Basta reportedly included personal data belonging to teachers applying for jobs at schools, more than 100 bank accounts, phone numbers, home addresses and details of a Capita Nuclear document.
Internal floor plans of multiple buildings and security vetting for customers were also said to have been included. Capita provides a wide range of services for public and private organisations, including the National Health Service, the British Army, the Royal Navy, the Ministry of Defence and O2.
The clock is ticking for Capita to handle the incident response with greater transparency and disclose the loss of personal data, said Kevin Beaumont, an infosec watcher. Beaumont added that failing to do so could result in serious financial and reputational damage.
There is no suggestion of wrongdoing by Capita. The UK’s Information Commissioner’s Office confirmed that Capita had reported a network intrusion, and that it was assessing the information provided.
