Corgarashu - stock.adobe.com

Victims of 2023 Capita data breaches head to High Court

More than 5,000 people impacted by data breaches arising from two cyber incidents affecting outsourcer Capita have joined a group action lawsuit

Ordinary people who believe their personal data was compromised in two different cyber incidents that affected systems at Capita in 2023 – one a ransomware attack claimed by the Black Basta syndicate; the other an accidental leakage of data stored in an unsecured AWS S3 bucket – are heading to the High Court of England and Wales as a group action lawsuit led by Manchester-based Barings Law moves forward.

Legal proceedings against the outsourcing giant were formally triggered on 12 January 2024, and Barings Law is now representing more than 5,000 people. It claims that about 50 new claimants are coming forward on a daily basis.

The law firm said its own investigations had found “alarming potential breaches” of information, including compromised emails, passport data, home addresses and fraudulent purchases made via victim bank accounts.

“Our High Court action speaks volumes, echoing the concerns of thousands of distressed individuals whose privacy was jeopardised. It’s time to ensure that corporations prioritise safeguarding the digital trust we all rely on,” said Barings Law head of data breach Adnan Malik.

“Data breaches are not just about ones and zeros; they’re about lives and the trust people place in organisations. The Capita data breach isn’t just a case; it’s a wake-up call for corporations to prioritise the protection of sensitive information, and we won’t rest until justice is served.”

Malik said this could potentially be one of the largest data breaches ever seen in the UK. “Aside from people’s pensions being affected, the testimonies from our clients reveal some very concerning details ranging from potential huge financial impact to highly sensitive details being compromised.”

“Data breaches are not just about ones and zeros; they’re about lives and the trust people place in organisations. The Capita data breach isn’t just a case; it’s a wake-up call for corporations to prioritise the protection of sensitive information, and we won’t rest until justice is served”
Adnan Malik, Barings Law

Capita, which expects the Black Basta cyber attack to end up costing it between £15m and £20m, has previously said the data it knows to have been stolen was extremely limited, and was taken from less than 0.1% of its overall server estate.

That said, a not-insignificant number of its customers were impacted, including multiple pension funds, and NHS England, from which a minimal amount of data was taken. The breach that arose via the unsecured Amazon bucket similarly impacted local authorities and included details of benefit claimants. 

Malik added: “While acknowledging Capita’s own victimisation in this cyber attack, the projected £20m it will cost them, though substantial, appears almost trivial given their ample resources.

“Conversely, our resilient clients, who’ve poured their sweat and soul into life’s endeavours, now confront the heart-wrenching reality of losing everything they’ve worked so tirelessly to build,” he said.

“Our pursuit of justice doesn’t just send a message; it roars one into the void – data breaches exact a toll that reverberates and serves as a poignant reminder, urging companies to imbue their actions with empathy, to safeguard personal data they hold.”

A Capita spokesperson told Computer Weekly: “There is no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity. Whilst we don’t comment on specific ongoing legal matters, we strongly reject any suggestion that there is any valid basis for bringing a claim against Capita.”

Read more about the cyber attack on Capita

  • 3 April 2023: Public sector outsourcer Capita has confirmed a major outage which began on 31 March was the result of a cyber attack affecting its Office 365 apps.
  • 20 April: Capita says it has uncovered evidence of data exfiltration from a small proportion of its server estate following a cyber attack at the end of March.
  • 5 May: Capita has told trustees of some of the pension funds for which it provides outsourced services that their customer data may have been stolen by the Black Basta ransomware operation.
  • 10 May: Exceptional costs arising from the March 2023 Black Basta ransomware attack on the systems of outsourcer Capita will be somewhere between £15m and £20m, the organisation says.
  • 30 May: As many as 90 organisations that used Capita services have now reported data breaches arising from various security incidents at the outsourcer.

Read more on Data breach incident management and recovery

CIO
Security
Networking
Data Center
Data Management
Close