Just over 5k people are suing Capita at the High Court over their ransomware data breach. Discovery on this one should be incredible.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Jan-2024 02:18:37 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 04:49:15 JST
Kevin Beaumont
Capita are saying, regarding their court case, that there is no evidence that data stolen was publicly available. They may want to tell the people who were directly impacted. https://www.thetimes.co.uk/article/how-hackers-are-recruiting-on-the-dark-web-mpl2hvsss
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 06-Mar-2024 16:38:23 JST
Kevin Beaumont
It’s been almost a year since the #Capita ransomware incident began. Here’s how the new CEO describes it in their yearly update.
There’s now some careful rewording around data exfiltration and “recovery activities” of said data.
The exact amount they book for incident response and recovery is £25.3m, and they do not mention if insurance will cover. Overall the business has booked a £106.6m loss for the year.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 06-Mar-2024 16:41:35 JST
Kevin Beaumont
#Capita cut the pension business out of their operational KPIs, citing the impact of the ransomware incident.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 06-Mar-2024 18:00:26 JST
Kevin Beaumont
Investors react. #Capita
-
Embed this notice
Joel Michael (jpm@aus.social)'s status on Wednesday, 06-Mar-2024 18:45:04 JST 
Joel Michael
@GossiTheDog let’s see what happens in a couple of days. Good start that The Line is starting to notice atrocious IT security
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 13-Mar-2024 20:59:29 JST
Kevin Beaumont
#Capita’s new CEO has refused to say if they paid Black Basta ransomware group last year (they did). https://www.thetimes.co.uk/article/capita-in-the-red-as-more-cuts-announced-mrs9gkx97
GreenSkyOverMe (Monika) repeated this. -
Embed this notice
Zack Whittaker (zackwhittaker@mastodon.social)'s status on Wednesday, 13-Mar-2024 21:33:07 JST 
Zack Whittaker
@GossiTheDog bizarre to me that the reporter didn't cite the ransomware payment as something to ask the CEO on the record if they dispute. you can't dispute something that happened.
-
Embed this notice
Zack Whittaker (zackwhittaker@mastodon.social)'s status on Wednesday, 13-Mar-2024 21:36:50 JST
Zack Whittaker
@GossiTheDog it doesn't matter when you've got the CEO in front of you 'willing' (air quotes) to answer questions. you just have to ask the right questions!
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 15:24:48 JST
Kevin Beaumont
This thread is almost 1000 days old and getting a resurrection. #Capita have been fined £14m by the ICO over their ransomware incident.
Lots of big details in the fine, including over 1tb of data stolen (as detailed in this Mastodon thread at the time), confirmation of Qakbot and my blog etc.
Their SOC was wildly understaffed. It took attacker 4 hours to get domain admin due to poor security practices. Lots of learnings for large orgs.
GreenSkyOverMe (Monika) repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 15:32:03 JST
Kevin Beaumont
Capita has the PII of 6 million people.. but aren’t exactly sure how many still.
Additionally, they already had a major security incident running and external IR in before the encryption - while this incident was running, the attacker stole a terabyte of data over several days. The cause? No containment. They didn’t contain when they knew the attacker was on the network.
GreenSkyOverMe (Monika) repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 15:37:06 JST
Kevin Beaumont
Here’s the data stolen. This included my data, as I had used their employee vetting scheme at the time (for a different company). #Capita
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 15:43:39 JST
Kevin Beaumont
Capita says their systems had Nessus vulnerability scans. The ICO notes this is not a silver bullet, and that recurring penetration tests should take place. It found the business unit with exfiltrated data never had a pen test. #Capita
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 15:49:25 JST
Kevin Beaumont
Capita had written down that it responds to all P2 alerts in its SOC with 45 minutes. It actually took them several days to reach the initial alert. They were never reaching their internal SLA.
They argued with the ICO that it is not able to regulate its internal SLAs and its regulatory overreach.. the ICO took a different view.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 16:02:23 JST
Kevin Beaumont
The ICOs view is orgs should be treating CobaltStrike as a P1 and immediately isolate systems pending investigation. #Capita
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 16:09:32 JST
Kevin Beaumont
Capita claim none of the exfiltrated data was available on the dark web - which is actually false if you read this thread, The Times got data from the portal and called the victims (teachers Capita vetted).
Nevertheless, the ICO doesn’t agree anyway - there is still a risk of harm even if you pay the ransom and try to cover up the data theft, basically.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 16:11:08 JST
Kevin Beaumont
The ICO note Capita sell a Managed SOC service to the UK government.. but failed to run its own SOC properly. #Capita
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 16:16:38 JST
Kevin Beaumont
The ICO finds the Capita was negligent when it comes to cybersecurity, particularly highlighting the SOC and Active Directory security. #Capita
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 15-Oct-2025 16:22:19 JST
Kevin Beaumont
The full Capita report is available here:
https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf
A significant portion of the report is Capita arguing with the ICO that it doesn’t have the remit, and the ICO saying “Sure Jan” and then Capita agreeing the fine.
Tl;dr love your SOC. And fix Active Directory. The threat actor actually deployed BloodHound before Capita. And don’t try to cover up your breaches.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Wednesday, 15-Oct-2025 21:45:37 JST 
System Adminihater
@GossiTheDog How much do you think companies should be spending to staff their SOC? Every dollar they make? Sorry it's just nuts how expensive all this is.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 21-Nov-2025 20:52:18 JST
Kevin Beaumont
I wrote up my thoughts on what orgs can learn from the Capita ICO fine for their ransomware incident:
-
Embed this notice
Mathew J. Schwartz (euroinfosec@infosec.exchange)'s status on Friday, 05-Dec-2025 18:50:44 JST 
Mathew J. Schwartz
@GossiTheDog :neocat_cry:
-
Embed this notice
All GNU social JP content and data are available under the