What We Can Learn From Capita’s March 2023 Cyber Incident?

On 3 April 2023 Capita released a statement about a cyber incident it experienced over the previous weekend.

Capita has contracts with the NHS, BBC, and central and local governments. Some of the key services offered by Capita include customer management, IT services, digital transformation, software development, consulting and business process management.

Although Capita hasn’t given any details as to the nature of the cyber incident, it claims the incident “primarily” impacted access to internal applications, which affected some services provided to individual clients, though the company’s statement said that most client services were still functioning.

The Capita cyber attack and subsequent IT system outage highlights the importance of having robust cyber security measures in place, as well as a solid incident response plan.

Based on the information available, it seems that Capita had the following measures in place to help them respond to the cyber attack:

1. Regular cyber security training for employees: Capita’s employees were likely trained on how to identify and respond to security threats, which helped them report the attack quickly and accurately.

2. Effective communication: Capita communicated frequently and transparently about the incident, providing regular updates to customers, shareholders and the public. This helped to build trust and confidence in the company’s ability to manage the incident.

3. Swift action: Capita took swift action to contain the attack and prevent it from spreading further. This demonstrates the importance of having a well-defined incident response plan that can be executed quickly and efficiently.

4. Collaboration with third-party experts: Capita worked with third-party cyber security experts to investigate and remediate the attack. This highlights the importance of having trusted partners who can provide expertise and support during a crisis.

5. Focus on security: Capita emphasised its commitment to security and took steps to reassure customers that their data was secure. This demonstrates the importance of building a culture of security within the organisation and prioritising security as a key business function.

6. Incident response plan: Capita had a well-defined incident response plan, which outlines the steps that should be taken in the event of a security breach or system outage. This would have helped to minimise the impact of the attack and ensure that the company was able to recover quickly, despite the outages.

7. Backups and redundancy: Capita likely had backups of critical systems and redundant infrastructure in place, which helped them restore systems quickly and minimise downtime.

What can other organisations learn from Capita’s cyber incident and subsequent response?

1. Implement robust cyber security measures, including firewalls, intrusion detection and prevention systems, antivirus software and regular vulnerability assessments.

2. Carry out regular testing of incident response plans to ensure that they are effective and up to date.

3. Back up critical data and systems, and have redundancy infrastructure in place to quickly restore systems in the event of an outage or attack.

4. Provide regular cyber security training for employees to identify and respond to security threats, minimising the impact of attacks and helping to prevent them from occurring in the first place.

By implementing these measures, companies can better prepare for and prevent cyber attacks, as well as minimise the impact of any attacks that do occur.

There are several important things to learn from the Capita cyber incident that all organisations should consider when implementing their own incident procedures:

1.  Capita has an out-of-hours breach protocol

We understand that the incident occurred at 4pm on Friday. Given that the bulk of Capita’s clients are public sector, it can be assumed that most of the business operates during usual office hours.

That being the case and considering the contents of Capita’s press release yesterday, the company clearly has an out-of-hours breach protocol. Such a protocol is crucial as it will have enabled them to swiftly isolate – and thereby mitigate – the incident and its impact.

It will also have enabled Capita to quickly determine that no customer, supplier or colleague data was compromised, negating the need to execute elements of the protocol relating to notification of incidents to the ICO and/or data subjects.

It cannot be overestimated how beneficial such a protocol can be when handling incidents, particularly those that happen so close to the end of the working week.

2. Capita has not reported on which of its customers were affected by the incident

The Guardian reported that Capita’s press release “stopped short of detailing which of its customers had been affected”. This is normal.

In most cases, Capita is likely to act as a data processor for its clients, and the data processing agreement that will be in place to govern the relationship will contain provisions that place Capita under certain obligations when it comes to managing incidents.

Those obligations are likely to restrict Capita’s ability to refer to its clients in public statements (i.e. Capita will be bound by a duty of confidentiality) and it will likely stipulate requirements that Capita must adhere to when it experiences breaches that might affect its clients’ information.

It’s therefore unsurprising that specific clients have not been mentioned, notwithstanding that Capita has been able to identify that no customer, supplier or colleague data has been compromised, and it mirrors what we would expect to see in most controller/processor relationships.

Another thing to think about here is to include in a data processing agreement the ability to work alongside a data processor to understand the incident.

While a controller cannot expect to be able to control the situation, there is a lot of benefit to be gleaned from working collaboratively to assess the impact of the incident, mitigations to be deployed and agree a work plan to get back to business as usual.

If nothing else, processors should be required to provide regular commentary on the incident as it unfolds, as this will facilitate the controller understanding whether the incident has triggered mandatory reporting and it will inform the content of any press release it may wish to publish.

3. Capita outsources support for incident management

The press release hints at Capita having established disaster recovery relationships. The phrase “working in collaboration with our specialist technical partners” suggests that the company’s breach process includes the ability to bring in outsourced professionals to assist with breach investigation and mitigation.

While it may perhaps feel counterintuitive to give external parties access to an already compromised system, outsourcing support to bring the right people in with the technical expertise to fix the problem, rather than endeavouring – and perhaps failing – to fix the problem internally, is crucially important in getting to a solution more quickly.

Cyber attacks can be complicated and highly technical, and it would be impractical for Capita to permanently retain such highly specialised skills in house, particularly when the landscape of cyber attacks is constantly evolving.

DQM GRC specialises in helping large businesses put data privacy at the forefront of their operations. Our consultants have a wealth of experience across industries and projects, allowing us to offer support with any privacy-related concerns.

Contact us to find out how we can help you.