Preventing Core Technical Failures: Lessons from the Capita Breach

The Information Commissioner’s Office (ICO) investigation into Capita’s 2023 cyber attack has concluded with a £14 million fine for the group. Since the date of that attack, there have continued to be many more high-profile cyber attacks, and there is no sign that this will change any time soon. It is therefore important for organisations to learn from previous incidents to help prevent them, or at least to mitigate their impact.

The ICO’s penalty notice in Capita contains a number of interesting points. In this blog we focus on the technical and organisational control learnings which in-house IT teams should consider against their own organisation’s set-up. 

What happened

In March 2023, Capita was hit by a multi-stage cyber-attack. A malicious JavaScript file gave attackers initial access. This was followed by the compromise of a domain administrator account, lateral movement across eight separate network domains, and the exfiltration of 975 GB of data. Ransomware was then deployed, triggering a global password reset and weeks of disruption. The breach affected over six million personal records, including special category data, and multiple organisations who used Capita as their service provider. 

The ICO found that Capita failed to:

• implement appropriate technical and organisational measures to prevent both privilege escalation and unauthorised lateral movement through the network; and
• effectively respond to security alerts when detected.

More details on these are set out below.

Security design failures

The first infringement centred on the absence of effective Active Directory tiering (which involves separating admin accounts by risk) and privileged access management (i.e. restricting access to sensitive systems). Because accounts were not segregated by risk and function, a compromise of a lower-privilege account enabled the attackers to move through the system and gain domain-admin level access. 

A further issue the ICO highlighted was Capita’s handling of penetration test findings. Vulnerabilities the penetration test identified in one part of the environment were not shared across other business units which used the same systems. This missed opportunity to remediate consistently across the wider estate demonstrated a systemic failure rather than an isolated oversight. Capita argued that “holistic analysis” of penetration test reports was not possible due to the federated nature of its business. However, the ICO criticised this siloed approach, particularly as Capita’s own IT security standards required penetration test reports to be shared with its CISO, meaning senior security staff ought to have been aware of the vulnerability.

The ICO also noted that no penetration testing had occurred in the compromised systems, despite these holding more sensitive data.

These security design failures highlight the importance of central co-ordination and oversight, cross-group learning and strategic planning when it comes to testing.

Alert-response failures

A high-priority alert was raised minutes after the initial compromise but went unaddressed for 58 hours, missing Capita’s own one-hour response service level by 57 hours. The delay was due to insufficient staffing, a known issue within Capita’s Security Operations Centre team. 

The ICO considered that alert-handling is itself a technical and organisational measure under Article 32 of the UK General Data Protection Regulation (UK GDPR) and that Capita failed to “use and implement” this important measure. The delayed response allowed the attacker to establish persistence, move laterally, harvest credentials and exfiltrate data.

Duration and scale

The ICO also stressed that the relevant failures were not limited to March 2023 (the time of the attack). The privilege-escalation and lateral-movement issues had, the ICO found, been present the whole time the UK GDPR had applied (i.e. since 25 May 2018), escalating the seriousness of the failures.

The fact that the alert-response delay continued for 58 hours, significantly failing the internal SLA, also contributed to the seriousness of the failures. 

What in-house teams should do

The ICO’s penalty notice provides a useful summary of measures which it expects organisations to follow. These include:

• Active Directory tiering and privileged access management. Segregate administrative functions, review elevated accounts, and evidence monitoring.
• Create an enterprise vulnerability-sharing process. Share learnings from penetration testing across your entire business.
• Test SOC responsiveness. Measure time to triage and time to containment for high-priority alerts, report those metrics to the risk committee, and resource your Security Operations Centre appropriately.
• Apply policies and keep an audit trail. Ensure policies are operationalised and internal SLAs are met, and document compliance. The ICO repeatedly looked for evidence that measures were “implemented and used.” Policies alone were not sufficient.
• Best practice. Ensure key protection measures like multi-factor authentication, endpoint detection and response and regular patching are in place across all critical systems.