Context
The ICO has issued a statement regarding a recent cyber attack on Capita in March 2023.
Key points to note
“We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage. We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries.
We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
Next actions
If your firm uses Capita’s services, identify if any personal data they hold for your firm has been affected and take any necessary action.