We have restored our phone lines to a temporary number. Please call us on 01619747020 until we restore our normal phone line. Apologies for the inconvenience.

Capita Data Breach: What Happened?

Over the past few months, hundreds of thousands of people have been informed they have been affected by the Capita Data Breach. We look into what actually happened and your rights for claiming compensation if you have been affected.

In March, the largest UK outsourcing services company, Capita, was hit by a cyber attack which caused widespread disruption. Subsequently, around 90 organisations filed data breach reports to the ICO (Information Commissioner’s Office) with hundreds of thousands of people now being notified their data has been breached. 

Following the cyber attack, just two months later in May, Capita filed a second data breach. The ICO said in a statement that a “second data breach emerged in May when it was reported that the firm had left benefits data fields in publicly accessible storage, prompting several councils to say they thought their data had been compromised.” 

What caused the Capita data breach? 

In March, Capita was hit by a cyber attack, which was claimed by the Black Basta ransomware group. The perpetrators of the attack would have had to have found a vulnerability in Capita’s cyber security system, granting them access to stored data. 

The most recent data breach occurred due to an exposed Amazon S3 bucket. Amazon S3 is a popular cloud-based service used by companies to suit their IT requirements. Leaving S3 buckets open poses a substantial cyber security risk as they can be publicly accessible to those who know where to look. 

Capita Data Breach Compensation Claim with Manchester Law Firm Barings Law
UNSECURED STORAGE – Unsecured data meant hackers had access to hundreds of thousands of peoples personal data

Why was the Amazon S3 bucket left unsecured? 

Amazon buckets are usually private by default, and only the account owner and people they grant permission to have access to its content. However, in the process of configuring a bucket, permissions will need to be reviewed to ensure privacy is kept as up-to-date as possible, as per Amazon’s advice.

Since the data breach, Amazon Web Services is now actively taking steps to resolve data exposures that could occur through misconfiguration.

What data is likely to have been breached? 

The two breaches contained significant sensitive data, causing a large-scale panic amongst those who had been informed they had been affected.

The first major reports came from a large number of pension funds which use a Capita system called Hartlink. One fund, The Universities Superannuation Scheme (USS), informed around 500,000 of its members to tell them their data was at risk, with many others following suit. 

The USS, along with other pension providers, has told its members that the accessed data included the members’ title, initial(s), full name, date of birth, National Insurance number, pension fund member number and retirement date. 

Other organisations that fall out of the pension fund industry have revealed that passport photos, bank account details, home addresses and phone numbers have also been breached and uploaded onto the dark web. 

Regarding the exposed Amazon S3 bucket, local councils may have been impacted the most. Details about constituents’ benefit details, including PIP (Personal Independent Payment), have been accessed. 

What are my rights if I have been affected?

The majority of the information that has been accessed over the two breaches falls under PII (Personal Identifiable Information) which could put you at a high risk of fraudulent activity. To avoid this risk, organisations have to be compliant with GDPR (General Data Protection Regulations).

If, in this case, a breach occurs, the organisation must report it to the ICO and the person(s) affected within a reasonable timeframe.

The ICO will start an investigation to see how it happened and what the organisation had in place to prevent this from happening. 

The less compliant an organisation has been, the higher the risk of being fined and suffering reputational damage. 

Regardless of the findings, GDPR gives you the right to claim compensation as a result of the organisation breaking data protection law. This includes both “material damage” (financial loss) or “non-material damage” (e.g. you have suffered distress).

Court proceedings can be costly and without the correct legal advice, your chances of success could be lower than with legal advice. Barings Law is currently taking on multiple data breach claims against organisations that have been hacked, and even sold data to third-party companies. 

If your data has been stolen or sold, we will act on your behalf on a no-win no-fee basis.

All you have to do is submit a quick 2-minute form by following the link below. 

Once our legal experts have assessed your case to see if you have a valid claim, they will be in contact to get the ball rolling. 

It’s as simple as that, and if you are still unsure, you can view our reviews from clients who have had successful data breach claims with us.