More councils investigate Capita data breach

Adur and Worthing Councils were told that data breach did not involve personal data – but their own investigation suggests otherwise. 

The well-known name Capita specialises in consulting, transformation and digital services. ‘Every day we help millions of people,’ it proclaims on its website, ‘by delivering innovative solutions to transform and simplify the connections between businesses and customers, governments and citizens.’

Capita’s clients include central and local government and authorities including the NHS, which use the firm to carry out various IT and financial roles. 

That makes any breach of the data the company administers extremely concerning. In March, hackers gained access to the data on hundreds of pensions funds and this information – including clients’ home addresses and passport images – began to be shared online. 

In recent weeks, another breach of data has come to light, affecting multiple local authorities. 

Staff at Adur and Worthing Councils in West Sussex became aware earlier this month of a potential breach at Capita involving systems it managed for the councils in February 2021. Capita wrote to the councils on May 16 to confirm this breach but said it did not involve personal data. 

However, the councils then conducted their own internal investigations into the breached files. In a statement, they said: ‘Unfortunately this has revealed that those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents. 

‘We’ve been able to confirm that there were no names or bank or building society details of residents involved and at this stage we consider that the risk to our residents appears minimal. 

‘We are extremely unhappy with both the data breach itself and Capita’s failure to provide us with swift and accurate information about what they have discovered. 

We treat data protection extremely seriously and are currently identifying each and every one of our residents that has been affected.’ The councils will contact any residents whose data was affected. 

Colchester City Council was also affected by the breach. In this case, data relating to benefits from the financial years 2019-20 and 2020-21 was breached, though it does not seem to have been shared or used maliciously. 

Even so, Richard Block, Chief Operating Officer at the council, says: ‘The council is extremely disappointed that such a serious and widespread data breach has occurred and is robustly addressing the matter with Capita.’ The council will, ‘take all necessary steps to minimise any impact on residents.’ 

A spokesperson for Coventry City Council said they were also, ‘belatedly informed that there has been a potential historic data breach by our financial services contractor Capita. 

‘We are extremely concerned and disappointed by this news, not just because we take such matters very seriously, but also [given] the length of time it took to alert us.’  

Rochford District Council and South Staffordshire Council have also confirmed that their data has been affected in the breach and they are working with Capita to investigate the full extent of what happened.  

The Information Commissioner’s Office, which regulates data protection, is also ‘assessing the information provided’, according to a statement. 

A spokesperson from Capita says: ‘We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.’ 

Infotec will, of course, report on developments in this story. 

In related news, the National Cyber Security Centre recently warned of increased threats to the UK’s critical national infrastructure.

Photo by Markus Spiske.