Failed IT systems at Capita fuel fears of cyber-attack on crucial NHS provider

·4-min read

Computer systems have abruptly stopped working at the outsourcing group Capita, knocking out local council phone lines and triggering fears that the company that runs crucial operations for the NHS and the military could be under cyber-attack.

Capita staff are understood to have been unable to access IT systems since the early hours of Friday, and an early investigation has yet to establish the cause.

A spokesperson for the company, who was unable to access their own email, said in a statement dictated over the phone: “We are aware of a technical issue with our systems, which we are investigating.”

Capita’s customers include the London boroughs of Barnet, South Oxfordshire, and Barking and Dagenham, whose websites all displayed messages on Friday saying that their benefits, council tax and business rates contact phone lines were down.

A source familiar with the outage said the National Cyber Security Centre, the Cabinet Office and other government agencies had been alerted to the incident, given the group’s role in sensitive areas such as Royal Navy training centres and security at Ministry of Defence bases.

People at sites including critical national infrastructure have resorted to using radios, pens and paper, the source said.

Some employees still have access to computers and email, and the company said its investigation was in the early stages and that it was too soon to tell if the failure was caused by a cyber-attack.

According to sources at Capita, company systems went down at 4am but many staff were not aware until they tried to log on at 7am. Employees received a text from the company at 8.45am, explaining that there was a company-wide problem.

One staff member, who asked not to be named, said they were unable to log into their laptop, with their usual password rejected as “incorrect”. They said employees could not access Capita’s systems or any other computer programmes.

Staff were told by text: “We are urgently investigating this and will provide you with an update shortly. Please do not attempt to access via VPN or submit password recovery requests.”

The outage, first reported by the Times, is likely to concern the UK government because Capita, which employs more than 50,000 people in the UK, has contracts worth hundreds of millions of pounds to manage key public services across a broad spread of government departments.

Capita also runs major central government contracts. Its public service division, whose main customer is the British government, reported revenues of £1.4bn last year, consolidating its position as a key supplier at the heart of the government’s efforts to improve digital services.

It provides primary care support services for the NHS, electronic tagging for the prisons and probation service, recruitment for the British army, maintenance at the UK’s Submarine Training Centre, and fire and rescue operations for the Ministry of Defence, a contract worth £525m over 12 years.

It operates Transport for London’s road-charging system, covering the congestion charge and ultra-low emissions zone, and the Department for Work and Pensions’ disability payment assessments. It also holds a contract with HM Revenue and Customs to automate some of the tax collection authority’s processes and has a £456m contract with the BBC to collect the licence fee.

TfL, which was Capita’s largest public sector customer in 2021-22, with a spend of £140m, according to the data analysis firm Global Data, said its services had not been affected.

Global Data said Capita was the UK’s third largest public sector supplier, receiving £465m of public money last year.

Capita also provides call centre services for private customers including Thames Water, William Hill, BMW and O2.

A source at one private business that uses Capita software for human resources and finance functions said that employees who were already logged in were able to continue using it but those attempting to log in were unable to access their accounts.

Some clients are understood to use their own ring-fenced technology systems, which insiders believe should protect them from any impact.

Smart DCC, a subsidiary of Capita that is responsible for Britain’s smart energy meters, said: “The national secure smart meter network is functioning normally, and is unaffected by IT issues that have been reported.”

Capita’s rival Interserve was fined £4.4m for failing to prevent a cyber-attack last year. However, it is not yet clear if Capita’s issues have been caused by hackers.

The Guardian has approached multiple government departments that use Capita’s services for comment.