Data Privacy
,
Data Security
,
Endpoint Detection & Response (EDR)
Capita Ignored EDR Alert for 58 Hours, Say Investigators
British outsourcing giant Capita must pay 14 million pounds to British data regulators for privacy violations tied to a 2023 hack that impacted more than 6 million individuals.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
The Information Commissioner’s Office imposed Wednesday an 8 million pound fine against Capita Public Limited Company and a 6 million pound fine against the firm’s Capita Pension Solutions subsidiary for inadequate security measures.
The hack, claimed by disbanded ransomware group BlackBasta, resulted in attackers accessing 975 gigabytes of records containing the personal data of roughly 6.7 million individuals. Hackers posted the data to its darkweb leak site. The records included addresses, contact details, national insurance, passports, bank account numbers as well as sensitive medical data.
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyberattacks in the headlines, our message is clear: every organization, no matter how large, must take proactive steps to keep people’s data secure,” said ICO Commissioner John Edwards.
Capita is a major service provider of NHS England, the City of London Police and the Ministry of Defense. At the time of the attack, it handled data processing operations for more than 600 administrators and is still set to take over operations of the U.K. Civil Service Pension Scheme.
An investigation by the ICO found hackers gained initial access to Capita’s network in March 2023 when an unidentified employee downloaded a malicious JavaScript file. The file installed Qakbot and Cobalt Strike on the compromised device and then deployed ransomware.
A company endpoint and detection and response system caught the malicious file within 10 minutes of its download, but the company didn’t respond to the system alert until 58 hours later, the ICO found. “The alert is written in plain English and phrases including ‘Threat Alert – High,’ ‘Credential Access’ and ‘Privilege Escalation’ are clear and obvious,” the agency said.
The ICO attributed the incident to inadequate security measures that included poor Active Directory tiering, permissive privilege access management and no penetration testing. Despite being warned of poor Active Directory tiering on three occasions prior to the hack, the ICO said the company continued to allow over-privileged accounts.
“Capita was also not utilizing PAM, which would have included features that could reasonably have mitigated the risk of damage once the threat actor had gained access to Capita’s systems,” the ICO said.
The regulator initially proposed a fine of 45 million pounds but reduced it to 14 million pounds due to remedial actions taken by Capita and the company’s decision not to appeal the penalty.
Remedial steps taken by the company include restoring its impacted systems and updating those impacted by the breach. Capita also appointed specialists to track the darkweb to identify whether exfiltrated data had been published and later reported back to the ICO that it observed “no harm or damage” to data leak victims.
Capita’s CEO Adolfo Hernandez on Wednesday said the company’s latest investments have accelerated its “cybersecurity transformation.”
“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance,” he said.