More UK councils caught by Capita's open AWS bucket blunder The bad news train keeps rolling for Capita, with more local British councils surfacing to say their data was put on the line by an unsecured AWS bucket, and, separately, pension clients warning of possible data theft in March's mega breach. Colchester City Council was the first to step forward last week to claim that tech …
"The privacy and security of our client information is of the utmost importance to us." ... Which is why the second party outsourced *again*, to a third party. They should check the definition of utmost, it's not the same as passing the buck. "We do only what is spelt out in the contract, to the minimum standard allowed by our lack of talent." FTFY
Well, they (the councils) are expected to deliver value for money by their constituents, so any penny counts (especially if it comes to keeping their pension management costs down). But this breach widening and catching more and more organisations out means that Capita cannot be trusted and should a) lose all the contracts, and b) be fined to yazoo (without being able to recover the costs from the councils through charges). Oh, and paying for fraud monitoring for *every* member of the public impacted, that would be nice too.
It's time that organisations like Capita learn that you. do. not. fuck. with. personal. data. without. consequences!!
Sure, that would be sensible, but that requires startup capital, which is a different bucket to operational budget. The accountants won't like it. And you maybe end up with something like USS, which all universities have a stake in, and yet which then shaft their pension holders with dodgy valuations. And you know how well that plays out.
"which is why they 1. outsourced to 2. the lowest bidder."
I was speaking with a guy who handles a local councils outsourcing and procurement deals a couple of years back and he said they are legally obliged to go with the lowest bidder who can meet the criteria, even when they have an existing and preferred supplier and really don't want to go with the actual lowest bidder because they know they will shit service. The best they can hope for is that they can get or keep in enough penalty clauses to mitigate the problem they know will come down the line. But the big outsourcers and/or suppliers can afford much better lawyers.
Not really. Bad news for the poor ordinary folks who will now have to watch their finances for pretty well "for ever' (I bet the data thieves know to wait until the free enhanced monitoring expires), but basically no effect on lucrative future contracts.
"We have taken extensive steps to recover and secure the data."
How? Secure, maybe, but you can't recover it once it's out in the wild.
"We have worked quickly to provide our clients with information"
Not according to the impacted customers in the very statements your spokesface was countering.
Until line managers are fined/jailed for such IT mismanagement, this will keep happening - this isn't a sophisticated cyber hack which would offer a fig leaf of defence: This is an unsecured AWS bucket, the type of misconfiguration we've been warning about for over a decade.
You cannot recover digital data.......
It is not like finding a box of paper.
Once digital assets are exposed then that is it, the only option is to assume that ALL the data is now in the wrong hands.
This is what pisses off most is that so far there has been absolutely no substantive action taken against any of these companies.
Capita should be suspended with immediate effect from ALL their contracts. That would focus some minds.
Do they actually believe that anyone takes that seriously? Once data has gone... it's out the barn door, into the field, over the hills and looooong gone. Even John Wayne with the longest lasso known to the human race ain't going to be rounding that steer up.
Quote
""We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible."
Unless someone went pressed ctrl-c then ctrl-v while the data was available but we do not think the hackers were very technically qualified
Although they were more qualified than our outsourced IT department with their Admin/1234 as the root account/password*
Theres a very good reason why crapita is known as crapita
*since changed to a far more secure version..... admin/4321
This post has been deleted by its author
I think that someone should learn how to spell "apologise".
And there should be a law that states you can't be a councillor if your main ambition in life is to achieve the i.q. of a carrot. And you must also learn to take the blame for your fuckups instead of "it was someone/anyone else's fault"
You fucking wankers chose Capita. It is your fault. Full Stop.
Maybe if you had ever worked in the Public sector you would understand a little more rather than just hurling abuse at people.
So much in Council services are now outsourced because the have no choice. Most of the systems are supplied by people like Captia, Civica and so on because they provide the underlying systems. The council is just a consumer. Part of the argument that started this is that it is cheaper as each council can use an existing service. Funding has been cut so much that it is simply not possible to do everything "in house". Outsourcing is considered cheaper because the costs are fixed and the only thing that needs to be managed is an SLA.
It is a race to the bottom in funding and quality. If you want councils to have top-notch IT provision it will cost money. Money they don't have and nobody is prepared to give them.
>Part of the argument that started this is that it is cheaper as each council can use an existing service
Yeah, but I don't think each council makes a saving though - Capita makes increased profit each time they can re-sell the same/mildly tailored system, but I don't think subsequent councils receive increased discounts/it was built with the real mindset at some sort of national level that other councils would use it.
They make a saving compared to what they would pay if they did it themselves. That's the point. The fact Capita goes and makes a loss on maybe the first few councils and then starts making a profit on everyone else after that is something else. You would expect that the more councils signed up the cheaper it would get for everyone, but that's not how capitalism works.
The UK government hands over roughly £1bn a year to Capita. I think you could run a fairly sizeable IT operation on that kind of money. Additionally you could probably recoup some of the cost by licensing your products to others. I know that's not "how capitalism works", but we've tried that and it clearly doesn't work - perhaps time to try something else?
Let’s have free choice in who manages our data.
Full custody control and access should be disclosed at the point of signing up.
If it changes, allow free transfer.
If the only choice is poor (coughcrapitacough), then good luck.
Penalties for breaches should apply and be severe.
This is now so common, I would be surprised if it doesn't spawn a phishing campaign in its own right: 'Your details were unfortunately exposed during the <insert a recent Capita goof> event and we strongly advise you to change your password. Click [here] to update your account'.....
Sadly, some people will most likely fall for it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
