Credit: Rawpixel

The UK’s data-protection regulator has urged Capita customers to “check their position” after 90 organisations have now reported data breaches resulting from recent security incidents affecting the IT services firm.

Over a nine-day period at the end of March, cyberattackers gained unauthorised access to Capita servers, during which time the company believes some customer data may have been compromised. Earlier this month, it emerged that sensitive personal data held by eight councils was exposed by the company’s use of unsecured storage as part of Amazon Web Services ‘bucket’.

Six of the eight have since made public statements – many of which express strong disappointment and indicate a desire to review their engagement with Capita.

Across the two incidents, it is understood that a total of 90 organisations have reported data breaches to the Information Commissioner’s Office.

The regulator has issued a statement indicating that is investigating these reports, and encouraging other clients of Capita whether they might have been impacted.

Related content

• ICO: Instead of massive fines, regulation works best when we work alongside organisations
• Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
• MoJ reprimanded by ICO after ‘bags of confidential documents’ exposed for over two weeks

“We are aware of two incidents concerning Capita, regarding a cyberattack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries,” the statement said. “We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”

It added: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary."

A statement from Capita said: “Capita continues to work closely with specialist advisers and forensic experts to investigate the cyber incident and we have taken extensive steps to recover and secure the data. In line with our previous announcement, we have worked quickly to provide our clients with information, reassurance and support, while delivering for them as a business. In instances where we need to provide further support to those affected, we will do so. The AWS data is secure and no longer accessible and our investigations into this matter are ongoing.”