Business process outsourcer Capita was in the dock again this week after a local authority revealed that historic data from several councils was stored on an unsecured cloud server managed by the firm.
In an update to its investigation yesterday, Colchester Council criticized the “unsafe storage of personal data” by Capita and said it has requested more information on the extent of the leak.
“Capita has been entrusted with the crucial task of providing the council’s end-of-year auditing services for council tax and benefits. This involves extracting information from the council’s secure systems. However, recent events have brought to light the fact that Capita has failed to maintain the necessary standards for data protection,” the council explained in a statement.
“The benefits data files include details of the benefits people are in receipt of. This is historic data and relates to the 2019/20 and 2020/21 financial years. The data, along with similar information from other local authorities, was found on an unsecured Amazon data bucket controlled by Capita. Capita has confirmed that it has since been made secure and we can confirm that the data does not include any bank details.”
Read more on Capita’s ransomware breach: Outsourcer Capita Claims to Have Contained “Cyber Incident”
While it is unclear how the incident came to light, it appears to be a fairly common cloud misconfiguration error. As such, the impact should be limited, as long as malicious third parties didn’t discover the mistake before it was remediated and manage to access and exfiltrate data.
However, the timing couldn’t be worse for the outsourcer, which is still dealing with the fallout from a ransomware breach in late March. Although it is still unclear how much data was stolen in that raid, Capita has said that less than 0.1% of its server estate was impacted.
“This serves as a reminder of the potential impacts when relying on third-party providers and suppliers,” argued Javvad Malik, lead security awareness advocate at KnowBe4.
“While outsourcing can be financially beneficial, organizations need to remember that they cannot outsource responsibility, and so, they need to carefully vet their third-party providers to gain assurance they are keeping data secure.”
Editorial image credit: Postmodern Studio / Shutterstock.com