Massive Ransomware Attack Affecting Hundreds of Thousands of Consumers

Recent news of a massive cyber ransomware attack on a significant UK business has created one of the largest known impacts on UK businesses and consumers.

This attack by a notorious ransomware group on the major UK outsourcing company Capita continues to impact hundreds of thousands of people three to four weeks after being first reported.

This blog details the attack and its consequences and offers thoughts on how smaller businesses can prepare for these risks.

What happened?

In March, Capita publicly admitted that it had become another large organisation that was the victim of a targeted ransomware attack. Capita is a business that runs core services worth billions of pounds for government and high-profile private industry, including local councils, the NHS, the military, the BBC and pension funds. It operates the UK’s largest pension fund and private schemes for many large organisations. This cyber attack compromised Capita’s most profound IT systems and threatened the personal details of hundreds of thousands of pensioners whose data was stolen.

More than 90 large organisations have reported breaches of personal information from this attack. The victims include companies such as the Royal Mail and Axa, which have millions of policyholders, and the UK’s largest pension fund, the Universities Superannuation Scheme (USS). The USS alone has gone on record to publicly confirm that the cyber breach has affected over 470,000 individual policyholders, with serious data breaches of their names, birthdates, and National Insurance Numbers. This type of personal data breach can result in identity theft or at least enormous inconvenience and concern.

The nature of Capita’s business support structure means that by accessing Capita’s systems, hackers potentially could access many of their suppliers, business customers and individual consumers whose data is processed daily by the company. As the impact continued, The Pensions Regulator (TPR) advised over 300 of its pension funds of this potential data theft and then other pension schemes administered by Capita. This included hundreds of private sector pension schemes belonging to employees of Marks and Spencer, Diageo, Unilever and Rothesay, who had to step in and take preventive and emergency action in warning their members that their data was likely to have been stolen.

Rumour of a £15million ransom

After being made aware of the attack, Capita decided that the best course of action was to pay the hackers a ransom fee to protect the data, which the company needs daily access to so they could carry out business.

Creating a responsible business repatriation plan must have been a significant risk for the business, whose core business is the processing of other companies’ personal and private data relating to individuals. This took longer than hoped with many people feeling angry that there was a lack of speed and transparency. Capita did not publicly acknowledge the extent of the attack until April, having initially denied that any customer data had been compromised. The magnitude of the impact caused the Times to call Capita’s response a “crisis.” The CEO of Capita, Jon Lewis, then confirmed it was “a sophisticated cyber attack.”

Who was behind this?

Responsibility for the attack was publicly claimed by a known cyber threat group called Black Basta, who started to sell Capita’s data via the dark web. This included the bank account details of 152 businesses, scanned images of passports, application forms from individuals for teaching positions and security vetting data. By proving they had this type of data, Black Basta clarified how much valuable information they had managed to steal. Other data allegedly listed for sale included a Capita Nuclear document, the internal drawings of building floor plans and documents marked confidential.

This data implies that the cyber attack had penetrated deep into Capita’s internal IT systems. With customers that include the NHS and the Department for Work & Pensions, the data breach will likely have included highly sensitive data that would greatly benefit criminals.

Black Basta/ BlackBasta

These cybercriminals are a known ransomware group that has only been around since 2022 but have rapidly become one of the most active threat groups, targeting 19 large businesses with over 100 confirmed victims. Targeting companies in multiple countries, but typically in the US, Japan, Canada, UK, Australia, and New Zealand, they use a double extortion technique. This means that once stolen, they encrypt the stolen data before threatening to publish or sell the data for a ransom of millions of pounds.

The implications of the Capita cyber attack highlight the urgency for organisations to prioritise robust cybersecurity practices to safeguard sensitive information and mitigate the damaging consequences of data breaches.

Businesses holding personal data, mainly where they conduct processing on behalf of their clients, must have a clear cyber assurance strategy. Planning and rehearsing against such attacks in real-life simulated cyber attack training, using real-world examples and multimedia inputs to create a real sense of urgency, is something that businesses in the critical national infrastructure have been doing for years.

It is now time for small to medium businesses to take the risks of cyber attacks seriously and to plan and protect against them. Thrive can help design, plan, rehearse, and test your cyber attack strategy and make sure that your staff are put to the test. Hence, they are as prepared as possible for a cyber attack that might look insidious on the surface but could have a material, significant impact on your business.

Talk to Thrive. We are a trusted cybersecurity expert and an accredited Managed Service Provider and can offer your business the Next Generation of Managed Services.

Contact Thrive today to learn how we can help your business stay secure in today’s digital age.