Nearly 8,000 individuals are set to join a High Court case against the outsourcing firm ‘Capita’ , following a cyberattack that occurred in March 2023. Barings Law, the Manchester-based legal firm representing the claimants, has criticized Capita’s handling of the breach, which has been linked to the Black Basta ransomware group. The legal action, which was filed earlier in 2024, is one of the largest lawsuits of its kind against the company.
The Timeline of the Cyberattack
The unauthorized access to Capita’s systems is believed to have occurred around March 22, 2023, and was identified and interrupted on March 31. Capita initially reported the breach as a cyber incident, with little information provided about the severity of the attack. In April, the Black Basta ransomware group claimed responsibility, revealing that customer data had been stolen and that the group had demanded a ransom. Capita, however, maintained in its statements that there was only limited data exfiltration during the incident. Despite these assurances, concerns grew among clients, particularly pension schemes that rely on Capita’s services. The Universities Superannuation Scheme (USS), managing over £82 billion for its 500,000 members, was among the first to notify its members of the breach. Other pension providers were slower to inform those affected, leading to criticisms about delays in communication.
Legal Action Against Capita
Barings Law has been leading the proceedings against Capita, representing thousands of individuals affected by the breach. According to Adnan Malik, Head of Data Breach at Barings Law, this lawsuit is the largest of its kind against the outsourcing giant. The firm expects its case to be presented to the High Court next year, following delays in the legal system. Malik pointed out that many claimants received letters notifying them of the breach more than a year after the incident. Similar to other high-profile incidents like the recent Change Healthcare breach, the personal information compromised included sensitive data such as bank details, national insurance numbers, and employment histories. One client, a mining industry veteran, learned about the breach from media reports months before receiving an official notification from his pension provider, the Mineworkers’ Pension Scheme, and Capita.
Barings Law also noted Capita’s lack of transparency and communication regarding the delays. Despite repeated requests for clarification, Capita has not provided any explanation to the claimants about the slow notification process. While some pension schemes, such as the Mineworkers’ Pension Scheme, have chosen to replace Capita with a new administrator by January 2025, others, including the Royal Mail Statutory Pension Scheme (RMSPS), have continued their contracts with the company.
Capita’s Initial Response and Containment
When the cyberattack occurred, Capita initially referred to it as an “IT incident,” avoiding explicit acknowledgment of its cybersecurity nature. Internally, Capita’s Security Operations Center detected the breach early on March 22, and the company invoked crisis management protocols to contain the issue. It took several days before Capita publicly acknowledged the involvement of ransomware. The breach mainly affected Capita’s internal access to Microsoft 365 applications, disrupting services for a range of clients, including local authorities and infrastructure providers. Reports indicated that staff at some Capita-managed sites, including those in infrastructure sectors, were forced to revert to manual operations using radios, pens, and paper. Capita eventually restored employee access to its systems with the help of third-party technical partners.
Despite Capita’s first statement, that there was no evidence of customer, supplier, or colleague data being compromised, further investigations revealed otherwise. In subsequent months, the company admitted that approximately 4% of its servers were affected, and sensitive data from several pension schemes, including NHS England, was compromised.
Impact on Public Services and Government Contracts
The implications of the Capita cyberattack were far-reaching due to the company’s contracts with the UK government. Capita manages a range of public services, including London’s congestion charge zone, Royal Navy training centers, and parts of the NHS. Any disruption to Capita’s operations could therefore have large consequences for public services. In the days following the breach, phone lines for benefits, council tax, and business rates went down for several local authorities. The Black Basta ransomware group’s involvement in the Capita breach evoked caution about the security of data held by outsourcing providers. Cybersecurity experts have pointed out that ransomware attacks often involve the theft of sensitive data, which is then used for extortion. The stolen data included personal information from pension schemes, government contracts, and local authorities, adding to the severity of the incident. While Capita estimates that the breach will cost the company between £15 million and £20 million, the long-term reputational damage could be far more consequential. Some of Capita’s clients, such as the Mineworkers’ Pension Scheme, have already decided to move their contracts to other providers, and there may be further fallout as investigations continue.
The High Court lawsuit against Capita is an appropriate legal response to the 2023 cyberattack. As the legal proceedings unfold, the case could set a standard for future actions against companies involved in data breaches of this scale.
Image credit: Rafael Henrique, AdobeStock