Capita class action: 2,000 folks affected by data theft sign up

The number of claimants signing up to a collective action against Capita over the infamous March cyber security break-in and subsequent data exposure keeps going up, according to the lawyer overseeing the case.

Manchester-based Barings Law dispatched a legal Letter of Claim to Capita concerning the breach in June after claiming it received a “staggering number” of enquiries, and by July said it had 1,000 clients on board.

In the latest update, the lawyer claims that figure has doubled to 2,000 - comprised of pension customers, employees and circa 100 individuals that operate in the medical profession. It believes millions of people's personal information including passport details, emails and home addresses could have been revealed to criminals in the breach.

"Barings Law are still receiving a large number of enquiries and sign ups on a daily basis," claimed Adnan Malik, head of data breach at the lawyer.

Capita took down its IT systems at the end of March after spotting that an intruder had broken through its tech defenses. The break-in happened on March 22 and wasn't spotted until March 31 when Capita interrupted them.

Russian ransomware crew Black Basta claimed responsibility for the criminal act, and posted data, including bank account information, addresses and passport photos they to have accessed.

Capita initially thought 4 percent of its server estate were accessed but later revised this to 0.1 percent, and admitted there was some evidence that customer, supplier or colleague data had been seen by the criminals.

Pension data was also added to the list the following month in May as investigators combed over the wreckage – Capita administers 450 pension schemes that contain 4.3 million members. The Pensions Regulator was notified and was advising its clients speak to Capita directly about any risks.

Britain's largest pension scheme, the Universities Superannuation Scheme also told members their data might have been accessed, and Capita warned staff that its own pension fund was among the victims of the March burglary.

UK data watchdog, the Information Commissioner's Office reckoned that as of May, 90 companies had informed them that their information had been breached in the Capita burglary.

The cost of the clean-up effort is estimated by Capita to be close to £25 million, the company said when releasing its financial results last month, which is 25 percent higher than previous estimate.

• Another security calamity for Capita: An unsecured AWS bucket
• Capita wins £50M fraud reporting contract with City of London cops
• More UK councils caught by Capita's open AWS bucket blunder
• Activists gatecrash Capita's AGM to protest GPS tracking contract

In a statement to The Register, a Capita spokesperson said: "Capita treats cyber security with the utmost seriousness and, in common with many organisations, regularly reviews its cyber security stance using third-party consultants where appropriate."

"The company has invested in a multi-year, multi-million-pound cyber security programme which has been accelerated in the wake of March's cyber incident.

"Capita has since been praised by external experts for its high level of cyber preparedness, and both UK government and commercial clients have expressed their gratitude over its handling of the incident."

"Capita strongly rejects any suggestion that there is any valid basis for bringing claims against it as a result of the cyber incident."

We asked the company how the investigation into the incident is progressing and when it will have further information to share with the public, but it refused to say more at this stage. ®