Skórzewiak - stock.adobe.com

Three-day Capita outage was result of cyber attack

Public sector outsourcer Capita has confirmed a major outage which began on 31 March was the result of a cyber attack affecting its Office 365 apps

A major IT outage at outsourcer Capita that began on Friday 31 March has been confirmed as the result of a cyber attack of a currently undisclosed nature.

The incident downed some customer-facing services and, given the nature of Capita’s business – the organisation has billions of pounds of public sector contracts – sparked immediate fears of a cyber attack.

Among the organisations affected were several councils, including the London boroughs of Barnet and Barking and Dagenham, which were forced to suspend their call centre operations.

According to internal sources, the incident also hit some providers of critical national infrastructure (CNI), forcing staff to resort to pen and paper in some cases.

In a statement, Capita said it had indeed “experienced a cyber incident” primarily impacting access to internal Microsoft Office 365 applications.

“This caused disruption to some services provided to individual clients, though the majority of our client services remained in operation,” the organisation said.

“Our IT security monitoring capabilities swiftly alerted us to the incident, and we quickly invoked our established and practised technical crisis management protocols,” it continued. “Immediate steps were taken to successfully isolate and contain the issue. The issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.”

Restoring client services

Over the weekend, Capita’s IT and security teams have been working alongside specialist technical assistance to restore internal access to the affected applications, and is also making “good progress” in restoring client services to full working order.

Although the manner in which the incident first unfolded bears the hallmarks of a ransomware attack, there is, at the time of writing, no indication as to whether or not Capita has been affected by ransomware.

Again, the nature of its business as a supplier to operators of the UK’s most critical public services would make Capita a prime target for a financially-motivated or state-backed threat actor. The organisation has not made any further comment on the nature of the incident.

Arctic Wolf strategy vice-president Ian McShane said: “Due to its unique position at the heart of government and public services like the NHS, and the ongoing growth of attackers using supply chains to attack at scale, it’s vital that organisations with direct links to or from Capita’s IT and application infrastructure take precautions to stop any potential spread.

“Organisations also need to be alert to criminals taking advantage of any confusion around this,” he said. “Attackers always look to capitalise on fear and uncertainty through tailored social engineering attack campaigns. As such, employees should be advised to scrutinise any communications extra carefully.

“Company leaders should also communicate directly with employees to ensure they understand the process for flagging suspicious emails or messages,” added McShane. “Likewise, IT teams should review what protections they have in place, and implement proactive monitoring for all administrative accounts, ensuring any changes made to these accounts will trigger an alert.”

Read more about recent cyber incidents

30 March: Ongoing supply chain attacks against customers of UC firm 3CX appear to be linked to North Korean threat actors.

21 March: The power and energy division of Japanese conglomerate Hitachi has disclosed that it has fallen victim to a Clop cyber attack, but insists customer data is safe.

21 March: Italian carmaker Ferrari says it will refuse to pay a ransom after an unspecified threat actor broke into its IT systems and stole customer data.

16 March: Rubrik was supposedly compromised by the Clop ransomware gang via a zero-day vulnerability in a managed file transfer software package it uses.

2 March: The retailer has said that customer data has not been affected by the incident as it is held in different systems, and that investigations into the attack are ongoing.

Read more on Hackers and cybercrime prevention