Capita wins £565m in government contracts – despite major data breach

Capita was today confirmed as the government’s chosen partner in two contracts worth a combined total of £565m – despite two recent major data breaches, the impact of which is still being investigated.

The firm said the investigation and clear up will cost between £15m and £20m – this includes “further steps [taken] to ensure the integrity, safety and security of its IT infrastructure”.

The data and IT outsourcing giant will deliver a new service – the Functional Assessment Services – for the Department for Work and Pensions (DwP) and the Department for Communities (DfC) in Northern Ireland, which will entail carrying out health assessments for vulnerable members of society such as benefits claimants.

Chief executive Jon Lewis said Capita “focus[es] on quality and claimant experience” and that the firm will invest in “our health professionals who deliver such a vital public service”.

Capita is one of the UK government’s biggest suppliers, handling government contracts, private pension plans and providing services to local government including administration around benefits and taxes.

However, the firm has recently suffered two major data breaches. The first, in late March, was a cyber attack. Although the data processing firm originally said there was “no evidence” of comprised customer data, it later emerged that private sector clients, including M&S, Diageo, Unilever and Rothesay, all likely had members affected by the hack.

The second data breach emerged this month and has affected local councils working with Capita.

The news was sparked by Colchester council last Monday, which said benefits details of its residents were left exposed on an unsecured Amazon Data Bucket that was controlled by Capita.

Several other councils have now complained of similar breaches and are launching investigations.

​​Coventry council said it had “been belatedly informed that there has been a potential historic data breach by our financial services contractor Capita”.

When asked by City A.M. about the new contracts and the data breach, the DwP said “an evaluation process was undertaken, which evaluated bids based on a combination of quality and pricing to achieve the most economically advantageous tender for each geographical area”.

Capita declined to comment further but has previously said it is working with “third-party technical advisers to investigate” the latest revelation of a data breach involving local councils. It confirmed historic data is “secure and no longer accessible”.

In a statement announcing the new contracts, Lewis, said: “We are proud to have been selected as the preferred bidder to deliver these new contracts, which are central to the government’s long-term plan for health assessments.

“We will bring our strong track record for delivery in this sector and our relentless focus on quality and claimant experience to this range of benefits. We will also be investing in our health professionals who deliver such a vital public service.”

The news comes as the public body the Information Commissioner’s Office (ICO) issued a statement on Capita’s double data breach: “We are aware of two incidents concerning Capita, regarding a cyber-attack in March and the use of publicly accessible storage”.

The IPO recognised the number of complainants concerning Capita: “We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making enquiries.”

It also reconfirmed that “organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”