Councils complain to ICO after cyber attack at Capita

Councils affected by a £20m cyber attack at contractor Capita have complained to the Information Commissioner’s Office (ICO).

In one case a local authority has also accused the company of failing to provide timely information about compromised accounts, an allegation Capita has rejected.

Capita said the attack in April meant “some data was exfiltrated from less than 0.1% of its server estate”.

It expected to incur exceptional costs of approximately £15m-£20m for specialist professional fees, recovery and remediation costs and was “working closely with all appropriate regulatory authorities and with customers, suppliers and colleagues to notify those affected and take any remaining necessary steps to address the incident”.

The most critical response came from Adur and Worthing - where the two councils are separate entities but share services.

A message from Capita said the breach had not affected personal data held by the two councils.

But an Adur/ Worthing statement said: “Our internal investigation has involved reviewing each of the files that Capita has said was involved.

“Unfortunately this has revealed that those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents.

“We've been able to confirm that there were no names or bank or building society details of residents involved and at this stage we consider that the risk to our residents appears minimal.”

Both councils said they were “extremely unhappy with both the data breach itself and Capita's failure to provide us with swift and accurate information about what they have discovered” and had alerted the ICO.

Colchester City Council said Capita provided its end-of-year auditing services for council tax and benefits.

It said: “This involves extracting information from the council's secure systems. However, recent events have brought to light the fact that Capita has failed to maintain the necessary standards for data protection.”

Historic data concerning Colchester residents was “found on an unsecured Amazon Data Bucket controlled by Capita”.

Richard Block, Colchester’s chief operating officer, said: “The privacy and security of personal information is paramount, and we are extremely disappointed that such a serious data breach by one of our contractors has occurred.

“We require all parties involved in the handling of sensitive information to adhere to the highest standards of data protection and it is unacceptable that Capita has failed to meet these required standards. As a result, we are considering what further action may be appropriate regarding Capita.”

Derby City Council’s director of financial services Alison Parkin said: “We’re very disappointed to hear about the incident involving one of our suppliers, Capita.

“We take matters of information security very seriously and have voluntarily reported this incident to the Information Commissioner’s Office;”

Rochford District Council said it was “taking swift and decisive action in response to the unsafe storage of personal data by its revenues and benefits software supplier, Capita”. 

Tim Willis, interim director of resources, said: “We know this will cause concern to residents and we want to apologise to those affected on behalf of Capita. We will be working with Capita to review the company’s processes and ensure the avoidance of any further breaches."

A Capita spokesperson said: “We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.”

The company said all local authority clients affected had been contacted and it rejected that this had not been done in a timely way.

Mark Smulian