Capita data breach
We were notified on Tuesday 16 May of a suspected data breach by our software contractor Capita, which led to some information about Waltham Forest residents being briefly put in a digitally accessible public folder, which meant that it was possible for people from outside the company to view it.
Other councils around the country have also been similarly affected.
The information included people’s council tax balances as of 1 April 2022 and their names, as well some data relating to business rates. No bank or payment details were included.
We are unhappy that Capita has failed in the duty of care we expect of our suppliers and the incident has been referred into the Information Commissioner’s Office (the UK’s data protection watchdog).
Capita has told us they have found nothing to suggest these details have been used illegally and having reviewed the breach they believe the risk is low.
We contact residents via text messages, phone calls, and emails, and there is information on our website so that you can be sure any communications you receive are genuine. Waltham Forest Council will never ask for your bank details over the phone.
If in doubt, please call 0208 496 3000 and check with the council directly.
If you are concerned that you may have been a victim of a scam or fraud you should:
- immediately stop any communication you have with the potential scammers
- contact your bank or call the new 159 Stop Scams UK hotline
- report it to the police online through Action Fraud or by calling 0300 123 2040
You can also get more help and support through the Citizens Advice Scams Action service or by calling their Scams Action helpline on 0808 250 5050.
FAQs
How did this data breach happen? Why was my data held by Capita?
Capita provides software services to Waltham Forest Council and other local authorities. The Council used Capita to undertake the 2022/23 Council Tax and business rates annual billing. The data held by Capita were reports related to that activity. The data was stored in an unsecure hosting service that was initially set up to hold user guides for its software. We now know that personal customer data was accidentally stored in this unsecure location by Capita.
How did it come to light?
The council was made aware of the incident by a letter from Capita on 16 May 2023. The letter explains that they had secured the data and the site as soon as it had been brought to their attention and that they were investigating the incident.
What action has the Council taken?
We have asked Capita a series of questions to understand what happened, and particularly to understand what data has been affected and whether it has been inappropriately accessed. We have also worked closely with Capita to fully investigate the incident. Capita have completed their investigations into how the incident occurred and established that this was an isolated incident and does not affect other data held by Capita. All data affected has been identified and we are satisfied that no other data has been affected other than what we have brought to your attention.
What is the Council doing to make sure my data is safe?
Following the incident we have and will continue to regularly review access controls measures related to Capita. We will also collaborate with them to improve communication and storage processes to deliver the ongoing assurances we expect from the contract. Additionally:
Phone calls: We ask security questions using the information we hold about you to make sure the person we are talking to is you or has your permission to talk to us.
Letters requesting payments: If we send you letters requesting payments we will offer you different options including going onto the council website, calling the customer contact centre, or paying at your bank, post office, or local PayPoint. We will never ask you to click on a link and insert your bank details. If you receive correspondence with a link to make payment this has not come from us.
Has the Council’s Data Protection Officer notified the Information Commissioner’s Office (ICO)?
Yes, the Council has notified the ICO and has remained in regular contact with the ICO throughout its investigations.
Has personal information been involved?
Some personal data was held in an unsecure location, we have no evidence that this information was accessed maliciously. For unauthorised persons to access the hosting service, they would have needed the exact weblink to the hosting service. This was not available through search engines. Analysis has taken place on IP addresses that accessed the hosting service during the time that the information was available, and we are unable to identify whether or not this information was accessed by unauthorised persons.
Exactly what has been compromised? Are bank account details involved? Has my data been accessed?
Personal data related to Council Tax and business rates annual billing for 2022 has been compromised. No bank account information was included in the compromised data. Capita have completed their investigations but have been unable to determine if any unauthorised access to the data has occurred. Capita has told us they have found nothing to suggest these details have been used illegally and having reviewed the breach they believe the risk is low.
What types of personal data have been affected?
Council Tax payers
The data included details of people who were liable for Council Tax in Waltham Forest during the 2022/23 billing year only. Specifically, the data included:
- The name of one Council Tax payer, even if more than one person was liable.
- The Council Tax account reference number
- The property reference number
- The amount of Council Tax payable
Business rates payers
The data included details of people and organisations liable for business rates. Specifically, the data included:
- The name of the person or organisation liable to pay business rates
- The correspondence address for the business rate account
- The business rates account reference
- The amount of business rates payable
- The property reference number
Has any data been made public or referred to publicly?
There has been no indication that the data is available or being referred to publicly anywhere. This is, however, being monitored by Capita and if this situation should change we will provide an update.
Is Capita checking the dark web to see if this information is for sale?
We have confirmed that Capita will be monitoring the dark web, and they have been asked to provide the Council with information on any relevant publications. To date no information associated with the unsecure storage site have been found on the dark web.
How have you assessed the risks?
We do not believe that there is an elevated risk to individuals arising from the incident. This will remain under constant review and if the situation changes or we become aware that the information has been accessed or is available we will reassess this advice.
If the risks are low, why are you telling people?
Sometimes we are required to do so by law. Under Article 34(1) of the UK GDPR (General Data Protection Regulations) says we must notify individuals, referred to as data subjects, where there is a personal data breach which is likely to result in a high risk to the rights and freedoms of individuals and this should be done without delay. Examples of high risk are financial fraud, physical harm and distress.
Based on the information available, we do not consider that the threshold set out in article 34(1) has been met. However, we are aware that the incident has been reported in the media, and in the interests of transparency have decided to provide this information.
Has Capita appointed a cyber security company for advice?
This issue is not the result of a cyber security incident. Notwithstanding this, Capita has engaged their own technology specialist alongside third parties such as Amazon and Microsoft to assist with their investigation into this issue.
Is there a contract in place between Waltham Forest Council and Capita? Is the Council still using Capita?
Yes, the Council has been in contract with Capita for several years (since 1998 for Benefits and 2003 for Revenues). They are the suppliers of the software systems used by the Revenues and Benefits service. This breach is the first incident of that nature that has occurred since the contract began.
Will you provide further updates on the situation?
Yes, if new information comes to light we will provide updates, we will continue to monitor this and if the situation changes or our analysis of the risk changes, we will provide further updates.
Where can I find good advice on how to protect my personal data or if I’m worried that any of my information has been compromised?
The Information Commissioner’s Office provides information about the precautions you can take to protect yourself from identity fraud or the misuse of your information.
How can I be sure that the information I’ve received from the Council is real and not a scam?
We contact residents via text messages, phone calls, and emails, and there is information on our website so that you can be sure any communications you receive are genuine. Waltham Forest Council will never ask for your bank details over the phone.
If in doubt, please call 0208 496 3000 and check with the council directly.
If you are concerned that you may have been a victim of a scam or fraud you should:
- immediately stop any communication you have with the potential scammers
- contact your bank or call the new 159 Stop Scams UK hotline
- report it to the police online through Action Fraud or by calling 0300 123 2040
You can also get more help and support through the Citizens Advice Scams Action service or by calling their Scams Action helpline on 0808 250 5050.
How can I make a formal complaint about the incident?
If you wish to raise a concern or complain about the Data incident, you can do so by using the online form available on our website.
Alternatively, you can write to: The Data Protection Officer, Waltham Forest Town Hall, Forest Road, London, E17 4JF
Your complaint will be dealt with by the Data Protection Officer.