London-based outsourcing giant Capita left a trove of data exposed online for seven years, TechCrunch has learned, just weeks after the company admitted to a data breach potentially impacting customer data.
Requesting anonymity, a security researcher alerted TechCrunch to an unprotected Amazon-hosted storage bucket, which was secured by Capita last week.
The AWS bucket, which the researcher said had been exposed to the internet since 2016, contained approximately 3,000 files totaling 655GB in size. There was no password on the bucket, allowing anyone who knew the easy-to-guess web address access to the files. Details of the exposed cloud server were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage.
The exposed data included software files, server images, numerous Excel spreadsheets, PowerPoint presentations and text files, according to a sample of filenames reviewed by TechCrunch. One of the text files contained login details for one of Capita’s systems, the security researcher told TechCrunch, and some filenames that suggested data was being uploaded to the exposed bucket as recently as this year.
It’s not clear whether data belonging to Capita customers, a list which includes the U.K.’s National Health Service and the Department for Work and Pensions, was contained within these files. “I’m going to guess some of this stuff is not supposed to be available to the internet, given they closed the bucket since,” the security researcher told TechCrunch.
Capita was alerted to the data breach in late-April and secured the bucket that same week. The security researcher, who notified Capita of the breach, told TechCrunch that while the exposed bucket was promptly closed, the company doesn’t have a responsible disclosure program or a dedicated security contact.
Capita spokesperson Elizabeth Lee told TechCrunch in a statement that the unsecured bucket contained “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.” She declined to answer additional questions.
The researcher said he believes this incident is unrelated to the late-March Capita cyberattack claimed by the Black Basta ransomware group. The scope of this incident remains unknown, though Capita admitted last month that it had seen evidence of “limited data exfiltration” which “might include customer, supplier or colleague data.”
Samples of the leaked data, seen by TechCrunch, included bank account details, passport photos and driver’s licenses, and the personal data of teachers applying for jobs at schools. Capita has also told trustees that some data related to pensions is “likely to have been exfiltrated,” according to the Financial Times.
These files have not been shared publicly by Black Basta. It’s not known whether a ransom demand was paid.
Updated with comment from Capita.