London-based business outsourcing giant Capita has released an update on the cyber incident that affected it earlier this month, now admitting that hackers exfiltrated data from its systems.
Specifically, the company discovered, with the help of security specialists, that hackers had accessed approximately 4% of its server infrastructure and stolen files hosted on the compromised systems.
“The incident was significantly limited, potentially affecting approximately 4% of Capita’s server farm,” it read. Capita Statement.
“There is currently evidence of limited data exfiltration of the small proportion of the affected server farm, which may include customer, supplier or co-worker data.”
The company will continue to investigate the cyber incident and provide timely updates if evidence of impact to customers, suppliers or colleagues arises.
Alleged BlackBasta ransomware attack
On March 31, 2023, Capita disclosed an IT issue that impacted its services. Three days later, the company announced that the outage was caused by a cyberattack which prevented access to its internal Microsoft Office 365 applications.
At the time, Capita did not provide many details about the nature of the cyberattack. However, its impact was evident in the reduced availability of customer systems, including government organizations in the UK.
According to the latest update, the initial unauthorized access to Capita’s systems occurred on March 22, 2023 and remained uninterrupted until the company realized the breach on March 31, 2022.
On April 17, 2023, the Black Basta ransomware gang posted Capita on its dark web extortion portal, offering to sell stolen data to interested buyers unless the victim pays the ransom.
Sample data Black Basta released at the time includes personal bank account details, physical addresses, passport scans and other sensitive information.
The company has not provided public comments on the Black Basta hackers’ claims and has not mentioned anything about ransomware in its recent statement, so the validity of these claims remains unconfirmed.
Capita’s entry has since been removed from Black Basta’s extortion site, which usually indicates that a ransom has been paid or is being negotiated.
BleepingComputer contacted Capita to seek comment on Black Basta’s allegations and whether or not they have communicated with threat actors, but a spokesperson declined to provide an answer.