"... potentially affecting around 4 percent of Capita’s server estate ..."
Just the storage (DB, file and object) servers then?
Business process outsourcing and tech services player Capita says there is proof that some customer data was scooped up by cyber baddies that broke into its systems late last month. The British listed business, which has around £6.5 billion ($8.09 billion) in public sector contracts, updated the London Stock Exchange this …
Or, maybe, damn near ALL the servers for specific contracts? I wonder which ones?
Back in the day, C-word contracts were typically siloed from each other, separated from pretty much everything except the mothership (I don't know if anything's changed since things went all cloudy...) It certainly made things nice and simple when it was time to wind a contract down and they decided to do a bit of pruning. Snip! And you're all gone.
Depends on whether the businesses they have brought and ruined in the process were fully integrated or not (Normally I find this when they demand payment and forget to tell us whichever company they brought that we used has had finances assimiliated).
Crapita stop buying and then ruining companies we use!
Also, government, please stop unthinkingly handing contract after contract to these numpties. "Big & experienced" does not equal "competent".
Not to set up a false dichotomy, but having gov't contracts spread out across a multitude of smaller entities does start to look attractive. No eggs-in-a-single-basket scenario, and - bonus - no "joined-up government". Which is always sold as being convenient for the citizen, but in reality just means that the council's data on how full your bins are, or the ANPR camera data on where you've driven, can be used by completely unrelated departments to fine/coerce/"nudge" you.
The problem is that this needs Government people (employees or contractors reporting directly to them) at the top of the pyramid, defining the architecture, interoperability and other standards, &c. rather than the "easy option" of letting a vast consultancy company deliver "the entire solution"
It always turns out to not be that easy or entire, but I wonder how long these lessons will take us to learn ...
The longer this drags on the more it confirms how crap Crapita are.
Be honest and open early instead of being shifty and evasive*
Even just admitting a breach ASAP (once reasonable mitigations in place to stop further breach progress / exfiltration obviously) and say that more details will be coming later will be seen as fine: Unless they have an appalling setup & staff it should not have taken a huge amount of time to detect & stop the breach.
As the article mentions infosec folk such as Kevin (AKA Gossi the dog), worth noting that the Crapita breach has been talked about on various infosec forums for quite a while and Crapita were glacial in confirming the breach given it was "common knowledge" they were victims.
* Even if you take massive precautions you cannot guarantee you are "safe", if you are a decent sized company worth having a "when, not if we get hacked" mindset as there's always the chance of a zero day (or the soft option of staff revealing credentials be it via phishing , more old school social engineering, hacks of staff machine via staff home network (with WFH if someone breaks into a home network always worth their while finding out who the mark(s) work for as can make a nice juicy attack vector into the company they work for ) etc.).
Typically with exfiltration of data you have a decent time window to detect things (as once the attackers are in its worth their while seeing how far they can spread in case they can find higher value targets as often entry point will not hold "crown jewels" level of data ) and so there are key things to look out for e.g. in addition to looking out for unusual internal network activity also check unusual outgoing network activity (as files are shipped out) ). Always an arms race detecting nasty data egress, made more painful these days by the like of CDNs and cloudy services. Typically can be a bit of a pain to easily tell if some data going to Cloudflare, AWS is legit CDN or cloud use or whether its an attacker as they often grab data multi-step via "innocuous" looking initial pathways (as mentioned the likes of Cloudflare, AWS etc will usually have plenty of valid connections made from a corporate network so a sensible initial exfiltration connection point) rather than slurping it directly to more suspect looking IPs they control.
I'm very happy I no longer have anything to do with the security side of things** in current job (as, when I was more involved in that side of things in other roles you always felt disaster was just around the corner & every CVE made your sphincter tighten in case it was something that could leave you wide open).
** Obv, still make an effort on home networks security side of things but that's not got any particularly sensitive / valuable data (if someone gets in they won't find NI number, phone number, DOB, lists of passwords etc. on any of my personal machines) unlike commercial "work" data security scenarios.
"Even just admitting a breach ASAP (once reasonable mitigations in place to stop further breach progress / exfiltration obviously) and say that more details will be coming later will be seen as fine".
Being this vague early on can be more damaging than saying nothing because shitty tongue in cheek rags like El Reg (no offense) start pontificating on the cause and effect which can lead to rumours and misleading news articles elsewhere.
El Reg: Capita hacked, data exfiltrated...could be Russians, boat loads stolen.
BBC: Industry channel reports data stolen by the boat load by Russians from Capita.
GB News: People on boats, crossing the channel steal data from Capita!
The question you should be asking, is if they retained any SIMS data (having sold that part of the business) and if so, if that was breached.
If it was, this is the biggest data breach in UK history, because the hackers have the details of every single child and parent in the country (name, address, dob, phone numbers, email addresses, relationships, school attended and even photographs).
== They've taken the lot. Army recruitment, BBC license fee, the lot. The crims probably now have the data for most people in the United Kingdom now.
So, having lost personal information for millions of people, guess how much jail time there will be? And guess how many Government contracts will now be moved elsewhere? A Round Number!
Having worked there this is not surprising at all. I was once told in a performance meeting that I wouldn't get rewarded for doing a good job because they only paid people for an OK job; the reason being that customers only paid for an OK job so Capita only aims to do just enough to avoid being sued.
Honestly? What on earth needs to happen? Does someone need to lose their life? Capita should be on a list to say they cannot compete for UK Gov contracts. Poor performance, and poor cyber hygiene should automatically send a huge red flag! It would in the private sector, so why not in the public sector? It's our data they are carelessly giving away!!!