Cyber Incident Victim: Capita plc
Date:
Mar 2023
Location:
United Kingdom
Summary
A cyberattack disrupted Capita's internal Microsoft Office 365 applications and some client services. The incident was discovered when staff were unable to log in, prompting a response that successfully contained the issue. While the company stated the attack only affected limited parts of its network and found no evidence of data exposure, several local government clients reported disruptions to their phone and email services. Work was undertaken to restore full access to affected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 31, 2023, British outsourcing services provider Capita publicly announced it was experiencing an IT issue that impacted its internal systems. The company, based in London, employs 50,000 specialists and provides a wide range of services to clients in the finance, IT, healthcare, education, and government sectors. Its customer base includes critical infrastructure organizations in the U.K. such as the National Health Service (NHS), the UK military, and the Department for Work and Pensions, as well as prominent companies like O2, Vodafone, and the Royal Bank of Scotland. The initial announcement did not offer any details regarding the cause of the incident. The specific nature of the disruption began to clarify on April 3, 2023, when Capita acknowledged in a short press release that the outage was in fact caused by a cyberattack.
The cyber incident itself occurred at 4:00 AM on Friday, March 31, 2023. The attack disrupted access to the company's internal Microsoft Office 365 applications. The disruption was discovered approximately three hours after the initial attack, at which time staff attempting to log into the system found they were unable to gain access. The company's immediate reaction to the discovery was to initiate response protocols that successfully isolated and contained the security issue, preventing its further spread across the network. According to the company's disclosure, the investigation into the attack found that it had impacted only limited parts of Capita's network. The investigation did not find any indications that data belonging to its customers, suppliers, or staff had been exposed during the intrusion.
Capita stated that the disruption only affected some services provided to individual clients, while the majority of its customer base did not experience any adverse impacts. The company did not provide specific details about which particular clients or services were impacted by the cyberattack. However, there were external indications that several local government bodies, which are clients of Capita, experienced service disruptions. The boroughs of Barnet, Dagenham, Barking, and the South Oxfordshire council all posted notifications on their official websites stating that their phone and email servers were unavailable due to the incident affecting their service provider. This suggests that the cyberattack on Capita's internal systems had a downstream effect, causing outages for these public sector organizations that relied on Capita for IT and communication services.
Following the containment of the incident, the company's primary focus shifted to restoration and recovery efforts. Capita was actively working towards the complete restoration of access to its Microsoft Office 365 environment and other client services that had been disrupted. The company reported progress in this endeavor, though a specific timeline for full recovery was not provided in the immediate aftermath. The restoration process involved ensuring that systems were brought back online securely and functionality was returned to both internal users and external clients. The fact that the attack targeted core productivity applications like Office 365 indicated a significant impact on internal business operations, affecting communication, collaboration, and standard workflow processes for Capita's own employees.
The scope of the attack, as initially described by the company, was presented as limited, affecting only specific segments of the network rather than a complete compromise of all systems. This successful containment likely limited the overall operational and financial damage from the event. The company's announcement emphasized that no data exfiltration had been identified, aiming to reassure its clients, suppliers, and staff that sensitive information had not been stolen. The immediate response and subsequent investigation were crucial steps in managing the incident and mitigating its broader consequences. The involvement of critical national infrastructure clients and major corporations meant that the event attracted significant attention, though the full extent of the impact on these entities was not fully detailed by Capita in its initial communications. The company's priority remained on restoring services and maintaining operational continuity for its diverse and extensive client portfolio.