Outsourcing giant Capita, which provides essential services to the UK's government, admitted that hackers stole data from its system during a cyberattack last month.
The company's latest investigation found hackers infiltrated the network on or around March 22, which means they accessed the system for approximately 10 days before Capita "interrupted" the breach on March 31.
The attack affected around 4% of Capita's server estate and resulted in data theft, the company confirmed on Thursday.
"There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier, or colleague data," the company said.
While the company claims that the impact of the incident was "significantly restricted," concerns remain over the potential exposure of sensitive data, especially given Capita's size and the extent of its involvement with critical public and private sectors. As one of the largest business outsourcing providers in the UK, the company operates in markets such as education, healthcare, government, and finance, with over 50,000 employees and £6.5 billion worth of public sector contracts.
Capita has not specified the number of affected customers but promised to "provide assurance" around any potential data exfiltration. Plus, the company claims that it has restored all the impacted systems.
On March 31, Capita experienced major outages of its internal system, which prevented its clients and employees from accessing internal Microsoft Office 365 applications.
Three days later, the company confirmed that it suffered a cyberattack, claiming that "there is no evidence of customer, supplier or colleague data having been compromised" during the time.
On April 17, the Black Basta ransomware group listed Capita on its leak site and claimed it would sell the data to interested buyers unless the company paid for the ransom demand.
As proof of data exfiltration, the ransomware gang also shared some documents on the site, including clients' bank account information, passport pages, and physical addresses.
The company did not make public comments regarding the allegation of Black Basta.