Cyber Incident Victim: Computacenter plc
Date:
May 2019
Location:
United Kingdom
Summary
A third-party mailbox used by a major European IT reseller to collect missing or incomplete security clearance documentation for employees and contractors was compromised, enabling unauthorized access to sensitive personal data including identification details, bank information, addresses, and employment histories. Attackers altered the mailbox password, preventing legitimate access, and leveraged it to distribute phishing emails. The organization secured the compromised system, discontinued its use, implemented alternative clearance processes, and notified affected individuals of potential identity theft risks while offering free identity monitoring services. The breach, reported to UK authorities, was assessed as likely motivated by disruption rather than exploitation, though exposed data could facilitate fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 22, 2019, Computacenter UK Ltd discovered a cybersecurity breach targeting a third-party mailbox used to collect sensitive employee and contractor data for security clearance applications. The compromised mailbox, operated by an unnamed external provider, stored information submitted by individuals when their security vetting documentation contained missing or incorrect details. This data included personally identifiable information such as identification documents, contact details, bank account information, residential addresses, and employment histories. Specific examples of requested documentation included passports, driving licenses, and bank statements. Attackers gained unauthorized access to the mailbox, changed its password, and locked Computacenter out, as evidenced by system audit logs. The perpetrators then used the mailbox to distribute phishing emails. Computacenter confirmed the breach in a staff notification on May 22, acknowledging they could not determine whether the mailbox contents had been exfiltrated or merely deleted during the incident. The company emphasized that its own corporate email systems remained uncompromised.
Upon detection, Computacenter initiated its Group Information Assurance compliance protocol, confirming no other systems linked to the security vetting process were affected. Immediate containment measures included blocking unauthorized mailbox access, discontinuing use of the compromised system, and instructing users to cease submitting information to it. The company established secure alternative processes for ongoing security clearance operations and planned permanent mailbox deletion following investigation completion. Impacted individuals received warnings to monitor financial accounts for fraudulent activity and were offered a 12-month identity monitoring service, though enrollment required direct contact with the UK Vetting Team. Computacenter reported the breach to the UK Information Commissioner's Office. Employees expressed concerns that the exposed data constituted a "custom identity fraud kit," given its comprehensive nature and mandatory submission requirements for site access privileges. The company assessed the attack's primary motive as disruptive rather than financially exploitative but maintained caution regarding potential identity theft risks.