Capita’s “standard industry practice” 633gb open cloud storage
TechCrunch has a story today about Capita with an unsecured S3 bucket. A few people came across this last week — I saw it floating around social media and Discord amongst security researchers.
Capita claim it is “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”
Let’s test that statement.
The bucket — which is closed since being reported to Capita by me — is called http://capitadownload.s3.amazonaws.com/
It is now offline:
The bucket is indexed in cloud storage search engines, for example with Grayhatwarfare:
Here is an example of one of the “release notes and user guides” files — I have obscured credentials — which is no longer available:
Here is a list of files which were publicly available in the passwordless S3 “standard industry practice” bucket — a spreadsheet of the metadata:
Here are some example filenames, all of which are unavailable now:
All of the above files are now offline.
I just want to repeat Capita’s claim to press here, the bucket contains “information such as release notes and user guides, which are routinely published alongside software releases in line with standard industry practice.”
I’m sure Capita’s customers and regulators are reassured that the information they are receiving from Capita is factually accurate.
This storage bucket appears completely unrelated to the ongoing Black Basta situation.
Update 15th May 2023: Colchester City Council put out a blog entitled “Serious data breach sparks council probe”, in which they say:
“Colchester City Council is taking swift and decisive action in response to the unsafe storage of personal data by its financial services contractor, Capita.
The serious data breach has prompted the council to express its extreme disappointment with Capita, as it works with the company to understand the full extent of the data spill and take all necessary steps to minimise any impact on residents.
In TechCrunch today they have an article which says:
Scott Collins, a spokesperson for Colchester City Council, confirmed to TechCrunch that the council’s statement relates to Capita’s May data exposure, and screenshots of the data seen show that data pertaining to Colchester City Council was included in the AWS bucket, which has since been secured.
The AWS bucket is the one referred to in this article. Capita declined to comment.
Update 18th May 2023: The Financial Times report 6 councils are investigating a data breach from this Capita managed storage bucket:
Councils including Coventry, Adur and Worthing in West Sussex, Rochford District and South Staffordshire said their data had also been left exposed. Coventry said it had “been belatedly informed that there has been a potential historic data breach by our financial services contractor Capita”. “We are extremely concerned and disappointed by this news, not just because we take such matters very seriously, but also the length of time it took to alert us,” the council added.
Update 23rd May 2023: Adur Worthing Council have a post up, where they say this:
Earlier this month we became aware of a potential breach at Capita, involving systems the company was managing for us in February 2021.
Capita then wrote to us on 16th May this year to highlight the breach. It said that the breach did not involve personal data.
Our internal investigation has involved reviewing each of the files that Capita has said was involved. Unfortunately this has revealed that those files did in fact contain some personal data belonging to around 100 Adur and Worthing residents.
I just want to timeline this out:
- 24th April — I notified Capita of the exposed S3 bucket.
- 5th May — TechCrunch first report on the issue, Capita falsely misrepresent the issue to press, I write this blog.
- 15th May — Colchester Council issue a statement about “Serious data breach sparks council probe” — citing the same S3 bucket.
- 16th May — Capita falsely notify Adur Worthing Council “that the breach did not involve personal data.”
- 23rd May — Adur Worthing Council themselves fact check Capita and realise the files contain personal data.
Uhm.
