Lessons from the BlackBasta Ransomware Attack on Capita

This CTI report reviews the March 2023 BlackBasta ransomware attack on Capita that resulted in exfiltration of approximately 6,024,221 data subjects' records (including passports, NI numbers, bank details and biometrics), widespread domain compromise across at least eight domains, attempted ransomware deployment to over 1,000 hosts, an ICO fine of £14M and remediation costs up to £20M; the report reconstructs the timeline and TTPs, highlights root causes (missed/high-priority alerts, SOC understaffing, lack of AD tiering and automation), and provides actionable lessons (PAM, SOAR, AD segmentation, prompt remediation of pentest findings) for SOCs and CISOs.