Our response “will go down as a case history for how to deal with a sophisticated cyberattack”, the Sunday Times reported Jon Lewis, the Chief Executive of “consulting, transformation and digital services business” Capita, on 09 April 2023.

On Thursday 30 March 2023 Capita staff experienced technical issues logging into their IT systems. The following day, a spokesperson for Capita was quoted as stating that “we have identified an IT issue that is primarily impacting our internal systems. We are working to swiftly restore those services that have been affected…” Immediately after the weekend, at 7am on Monday 03 April, Capita issued a regulatory notice to the stock market confirming that it had “experienced a cyber incident”, but that this was “primarily impacting access to internal Microsoft Office 365 applications”. The statement provided the reassurance that “there is no evidence of customer, supplier or colleague data having been compromised”. The company subsequently acknowledged that the attack had impacted client services, with councils and insurers being affected.

The attack was attributed to Black Basta, the Russian speaking ransomware group whose MO was to utilize phishing techniques to execute ransomware and exfiltrate data, revealing the identities of their victims on Tor site Basta News. The group was revealed to have included Capita on 08 April.

By 16 April, The Sunday Times reported that Black Basta was touting data purported to have been extracted from Capita for sale, including “Personal bank account details, addresses and passport photos”. Nevertheless, the article stated that “The company denies its data is for sale”, with Capita offering a statement that “We are in constant contact with all relevant regulators and authorities. Our investigations have not yet been able to confirm any evidence of customer, supplier or colleague data having been compromised”.

By 20 April, Capita confirmed that, contrary to its earlier statements, “There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data”. It indicated that initial unauthorized access has been obtained on 22 March, with potentially 4% of its server estate being affected, and that it would inform “any customers, suppliers or colleagues that are impacted in a timely manner” and “continues to comply with all relevant regulatory obligations”. The Information Commissioner’s Office issued a statement on 21 April, more than five (5) days after the revelations in the Sunday Times, that “Capita has reported an incident to us and we are assessing the information provided”.

On 29 April, it was revealed that the Pensions Regulator had been forced to write to pension trustees of over 300 funds who engaged Capita as their administrator informing them that “As a data controller you need to gain assurance that your data processed by Capita is secure and take action as necessary to protect your members … Please tell us what steps you have taken to meet your obligations as a data controller”. By 3 May, the Financial Conduct Authority (FCA) confirmed that it had written to “to FCA regulated firms that are clients of Capita to ensure they are fully engaged in understanding the extent of any data compromise”.

On 10 May 2023, Capita issued a further announcement to investors, stating that “Capita understands now, based on its own forensic work and that of its third-party providers, that some data was exfiltrated from less than 0.1% of its server estate”, it had taken “extensive steps to recover and secure the customer, supplier and colleague data contained within the impacted server estate, and to remediate any issues arising from the incident”, and it was “working closely with all appropriate regulatory authorities and with customers, suppliers and colleagues to notify those affected and take any remaining necessary steps to address the incident”. Capita indicated that it expected “to incur exceptional costs of approximately £15m to £20m associated with the cyber incident, comprising specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment”. This announcement led to the Pensions Regulator following up its letter to trustees with a public statement on 12 May asserting that “As trustees, you are responsible for the security of your members’ data”, urging them to contact pension members proactively and warning that it may contact them to understand what action they had taken.

Most recently, on 25 May 2023, the Information Commissioner issued a further statement “We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries. We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps”. It has been reported that around 90 organisations have reported data breaches to the Information Commissioner as at 03 June.

With hundreds of thousands of individuals potentially affected, a number of law firms are also reported to be acting for or seeking potential claimants to bring compensation claims.

Capita’s CEO was right: this incident and its handling do have the potential to go down in history – but perhaps not for offering a playbook on how to deal with a cyber attack.

Capita’s woes have been quickly overshadowed, however. On 05 June, it was revealed that organisations including the BBC, British Airways and Boots had been forced to alert employees to the prospect of their payroll data being used for “illegitimate purposes” due to the exploitation of a previously unknown ‘zero-day’ vulnerability  (now designated CVE-2023-34362) in the third-party MOVEit Transfer and Cloud software utilised by the payroll provider Zellis, which claims to count 42% of the FTSE 100 among its clients, engaged as a sub-processor by their processor IBM. Progress Software, MOVEit’s developer, had issued a security advisory on 31 May, together with a security patch for the critical vulnerability. Microsoft’s Threat Intelligence attributed the attack to Lace Tempest, considered to be a financially motivated group, known for ransomware operations & running the Clop / Cl0p extortion site. A post on the Cl0p extortion site on 06 June claimed responsibility and warned victims to open negotiations  by 14 June, by emailing them to be given a dedicated chat url when they will be provided with proof of data and the price for deletion, after which organisations would have 3 days to negotiate and, if agreement was not reached, it was threatened that data would begin to be published after 7 days and published in full after 10 days. We have previously posted about the lawfulness of making ransom payments and compliance with cyber sanctions.

Despite the number of supply chain attacks having surpassed malware attacks in 2022, the Department for Science, Innovation & Technology’s recent Cyber Security Breaches Survey 2023 revealed that just 13% of businesses reported having examined the risks posed by their immediate suppliers and even fewer had looked to their wider supply chain.

What should data controllers be doing to understand and mitigate supply chain risk and what lessons can be learned from recent data breaches?

1. Conduct due diligence in relation to vendors prior to engaging them

   Data controllers are required by Article 25(1) UK GDPR to implement appropriate technical and organisational measures – both at the time of determining the means of processing and at the time of processing – to comply with the UK GDPR and protect the rights of data subjects. Article 28 UK GDPR extends this obligation to the engagement of data processors, and requires data controllers to assure themselves that any data processor they engage offers “sufficient guarantees” of implementing “appropriate technical and organisational measures” to comply with the UK GDPR and ensure the protection of data subject rights. In practice, this requires data controllers to not only comply with the obligation to put in place a data processing agreement which stipulates that the supplier will take all necessary measures to comply with the obligations under Article 32 UK GDPR in relation to the security of processing, but (since a data processing agreement is not itself a guarantee of security) also to undertake its own enquiries. These could range from reviewing information security and back up policies to ensure they meet minimum security requirements and obtaining certificates of accreditations and assurances, to requiring suppliers to answer information security questionnaires (whether the customer’s own or using those offered by third parties) to assess the measures and controls in place and previous data incidents, to obtaining agreement to conduct penetration testing or code reviews. The NCSC has published guidance on supply chain security. Any assessment also needs to take into account any sub-processors engaged by the processor. Measures should be appropriate to the nature of the data and the risk arising from any unlawful processing of the personal data.  If a supplier will have access to customer systems, and could therefore compromise them, as well as these measures the principle of least privilege should be followed. Customers should consider, particularly when engaging with SMEs and micro-businesses, which are less likely to have in-house IT teams or even external support, what support they can give to their supply chain in terms of setting minimum standards and/or directing or requiring entities to utilise free/subsidised services such as Police CyberAlarm, the NCSC Guidance for Small Business or the Cyber Resilience Centres. We have previously posted about the guidance and tools available to improve cyber resilience.

   In practice, the larger the supplier, the less amenable they are likely to be to disclosing specific details of information security practices, participating in a customer’s own information security checks or to meeting the customer’s own minimum security standards, and it will therefore be for the customer to assess the risk associated with the processing and the trust they place in the supplier.

2. Negotiate the terms of the data processing agreement

   While the UK GDPR establishes certain mandatory requirements to be incorporated in a compliant data processing agreement, the precise construction of the relevant clauses will often be a matter for negotiation. From the nature of the notification and rights of objection to changes to sub-processors, the nature, frequency and scope of the right to audit, participation in mid-contract reviews, the right to be notified and approve of any changes to security standards, the timing of any notification of an actual or suspected data breach, the scale of assistance to be provided in the event of an actual or suspected data breach, and the right to be informed of and to influence any communication to regulators and/or the public, clauses which favour the supplier will make life difficult for the customer in the event of a data breach. 

3. Conduct a Data Protection Impact Assessment (DPIA) prior to commencing processing

   The mandatory provisions of the data processing agreement include a requirement for the data processor to co-operate with the controller in enabling it to comply with its obligations, including to conduct a DPIA. This should reflect the use of third-party suppliers, the outcome of the information security assessment, as well as issues pertaining to any restricted international transfers of personal data, and the nature, scale and impact of the risk posed to data subjects as well as mitigations. This should be revisited periodically and whenever there is any material change to the processing activities. In the event of an incident, the Information Commissioner is likely to ask whether and, if so, when a DPIA was conducted and potentially to also request a copy.

4. Manage third (and fourth party) supplier risk throughout the processing lifecycle

   Signing a data processing agreement and completing a Data Protection Impact Assessment (DPIA) should be the start of the supply chain management process, not the end of it. Periodic contract reviews provide an opportunity to revisit the terms of the data processing agreement (DPA) and DPIA and to ascertain whether anything has changed which hasn’t yet been notified, to consider the risk implications of any changes and identify any necessary additional or alternative mitigations, and to update the documentation to reflect this. They can also provide a useful checkpoint to ensure that access to networks, systems and data remains appropriate and is the minimum necessary. Identify the suppliers/contracts that have the greatest data protection risk and prioritise these as part of your audit programme. The supplier off-boarding process is just as important as on-boarding; ensure that data is returned and/or deleted and that access is removed. 

5. Prepare for a supply chain data breach

   The best time to mitigate the impact of a data breach is before it happens. Not only should your organisation have an accessible and rehearsed incident management plan in place, but your suppliers should be clear about who to contact in an emergency and that person should be familiar with the breach response plan. Maintain records of assets and what access each supplier has to networks and data so that these can be promptly removed if necessary. Review logs of access, downloads and exfiltrations to identify anomalies. Employ dark web monitoring to be alerted in the event that your organisation or its data is referenced. Secure your own cyber insurance, rather than relying solely on that of your supplier.

6. Deploy your arms-length incident management response plan

   When an entity in your supply chain is successfully attacked, your organisation will be at arms length from the immediate investigation and remediation of the breach, but it is likely to be your organisation in the news and forced to appease angry data subjects.

   Upon being notified of an attack, your immediate action will be to identify any potential indicators of compromise (including unauthorized user accounts, files, downloads or exfiltration) and to contain the incident in so far as you can by disabling access to networks and/or data, promptly applying available security patches and re-setting user credentials. In so far as your own networks and systems have been breached, you should endeavour to preserve relevant evidence.

   Notify your cyber insurer, if you have one.

   As a data controller, Article 33 UK GDPR grants 72 hours from being informed of a data breach to notify the Information Commissioner unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The clock starts ticking when you are informed of a confirmed data breach, not when your processor becomes aware. In practice, many organisations - including data processors - will report all breaches with a view to being able to confirm having done so publicly in the belief that this demonstrates that they are properly handling the incident. Where possible, you should try and ensure that any notification to the Information Commissioner is consistent with any submitted, or proposed to be submitted, by your supplier.

   Despite notification of a data breach to affected data subjects only being mandatory under Article 34 UK GDPR where the breach poses a high risk to their rights and freedoms, even if this threshold is not met you will want to at least consider notifying them, particularly if the breach is or will be in the public domain. In any notification you will likely want to emphasise that it was not your data processing practices but those of a third party on whom you rely that have resulted in the incident. Your ability to assuage the concerns of data subjects will in part be reliant upon the accuracy and speed at which your supplier shares information with you, and you will therefore want to establish communication channels with the supplier and ensure regular updates and the co-ordination of public messaging.

   Rather than relying solely on information provided by your supplier, you may wish to consider undertaking – or instructing experts to undertake - your own enquiries to get a handle on any threatened or actual exploitation of your data. Depending on the nature of any exfiltrated data, you may wish to consider offering data subjects identity theft and fraud protection monitoring. If data is threatened to be published, you will need to consider paying a ransom. If data is published then you will want to consider seeking injunctive relief to secure its removal. 

   You may need to take further steps to remediate your own cyber security, or to seek assurances from your supplier as to their remediation of their security arrangements, for example to implement multi-factor authentication, or to restrict connections to authorised and trusted IP addresses.

7. Devise your legal strategy

   As data controller, you are likely to be forced to engage on a number of legal fronts: compensation claims from affected data subjects; termination of the contract with the supplier; a breach of contract claim against your supplier, which may morph into a contribution claim by the supplier against any of their sub-processors; a claim for injunctive relief against persons unknown and internet service providers, such as cloud storage companies, web hosts and/or social media companies, to secure the removal of exfiltrated data; and/or regulatory action by the Information Commissioner and/or other regulators.

   Data controllers are primarily liable to data subjects for any breach of the UK GDPR, albeit that if they are able to prove that they were not “in any way responsible for the event giving rise to the damage” they are exempt from liability under Article 82(3) UK GDPR.

   All communications, internal and external, will be relevant to the proceedings and therefore you should consider seeking to establish legal privilege. Your supplier is likely to do the same, however, which may inhibit the prompt sharing of information and reports.

   In the event of a finding that there has been a breach of the UK GDPR by the controller, for failing to ensure the reliability of data processors or to implement appropriate technical and organizational security measures, the imposition of an administrative fine by the Information Commissioner of up to the greater of £17.5 million or 4% of annual global turnover is more likely if the controller is a private company rather than a public sector organisation, and factors to be taken into account include: the severity and duration of the breach; the nature of personal data affected; the number of affected data subjects; the harm caused; the cost of mitigation;  prior regulatory history; the manner in which the Information Commissioner became aware of the breach; financial impact of the breach; measures taken to mitigate damage to affected individuals; and, the security measures in place.

If you wish to establish a framework for engaging and managing data processors, to audit your existing vendor management processes, or require support in managing a supplier data breach, then don’t hesitate to contact us.