We recently reported that Capita, the professional outsourcing company based in London, reported a cyberattack that occurred at the beginning of April.
However, the latest bombshell reveals that the company left tons of data for seven years.
A security researcher who wished to remain anonymous notified TechCrunch about an unsecured storage bucket hosted on Amazon Web Services (AWS) that was recently secured by Capita.
The researcher stated that the bucket had been exposed to the internet since 2016 and contained around 3,000 files with a total size of 655GB.
The bucket had no password, making it accessible to anyone who had knowledge of the easily guessable web address.
Furthermore, information about the exposed cloud server was indexed by GrayHatWarfare, a database that can be searched to find publicly visible cloud storage.
The data that was exposed in the unsecured AWS bucket included software files, server images, various Excel spreadsheets, PowerPoint presentations, and text files, as per a review of a sample of filenames by TechCrunch.
The security researcher informed TechCrunch that one of the text files contained login credentials for one of Capita’s systems, and some filenames suggested that data was being uploaded to the bucket as recently as this year.
It’s uncertain if the files contained any data belonging to Capita’s customers, which include the UK’s National Health Service and the Department for Work and Pensions.
The security researcher told TechCrunch, “I’m going to guess some of this stuff is not supposed to be available to the internet, given they closed the bucket since.“
Capita was informed of the data breach in late April, and the company secured the bucket that same week.
However, according to the security researcher who reported the breach to Capita, the company does not have a responsible disclosure program or a dedicated security contact.
In response to the data breach, Capita’s spokesperson Elizabeth Lee provided a statement to TechCrunch stating that the unsecured bucket contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”
However, she declined to answer any further questions on the matter.
This week, Reuters also reported that the British outsourcing company has confirmed to its pension clients that some data has likely been taken during the recent cyberattack.
According to correspondence sent to trustees, a significant team of staff at Capita conducted a thorough search of the affected servers and determined that certain pension data, which Capita processes on behalf of its clients, “is likely to have been exfiltrated” during the recent cyber incident.
The company has not yet provided any additional details about the data that may have been compromised.