More than 5,000 individuals impacted by data breaches stemming from two separate cyber incidents targeting outsourcing firm Capita in 2023 have initiated legal proceedings in a group action lawsuit at the High Court of England and Wales. The lawsuit is led by Manchester-based Barings Law, which claims to represent the growing number of affected people, with approximately 50 new claimants joining daily.
The two incidents involved a ransomware attack attributed to the Black Basta syndicate and an accidental leakage of data from an unsecured AWS S3 bucket. Barings Law alleges that its investigations revealed significant information breaches, including compromised emails, passport data, home addresses, and fraudulent purchases made using victim bank accounts.
Adnan Malik, Head of Data Breach at Barings Law, emphasized the significance of the lawsuit, stating, “Our High Court action speaks volumes, echoing the concerns of thousands of distressed individuals whose privacy was jeopardized. It’s time to ensure that corporations prioritize safeguarding the digital trust we all rely on.”
Malik highlighted the broader impact, stating that this could potentially be one of the largest data breaches ever seen in the UK. He noted the profound consequences for individuals, ranging from potential financial losses to the compromise of highly sensitive details.
Capita, anticipating the Black Basta cyber attack to cost between £15m and £20m, insists that the data stolen was extremely limited and taken from less than 0.1% of its overall server estate. The affected customers include pension funds and NHS England, with minimal data taken. The breach from the unsecured Amazon bucket impacted local authorities and included details of benefit claimants.
Malik expressed concern about the impact on affected individuals compared to Capita’s projected cost. He emphasized the pursuit of justice, stating, “Our pursuit of justice doesn’t just send a message; it roars one into the void – data breaches exact a toll that reverberates and serves as a poignant reminder, urging companies to imbue their actions with empathy, to safeguard personal data they hold.”
In response, a Capita spokesperson said, “There is no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity. Whilst we don’t comment on specific ongoing legal matters, we strongly reject any suggestion that there is any valid basis for bringing a claim against Capita.”
