Cyber Kill Chain Analysis of the Capita Data Breach

The following analysis maps the Capita data breach incident, as detailed in the Information Commissioner’s Office (ICO) Penalty Notice dated October 15, 2025, to the Cyber Kill Chain framework. The incident, which began on March 22, 2023, and culminated on March 31, 2023, involved a cyber-attack that exploited a weak password on the CAPITA\backupadmin account and likely utilized a Kerberoasting attack to escalate privileges. This analysis highlights how Capita’s failures in technical and organizational measures, as required by Articles 5(1)(f) and 32 of the UK GDPR, allowed the threat actor to progress through the kill chain, resulting in the exfiltration of 974.84GB of data affecting 6,656,037 individuals and the deployment of ransomware impacting 59,359 accounts.

Cyber Kill Chain Analysis

1. Reconnaissance

Description: The attacker gathers information about the target to identify vulnerabilities, such as network structure, employee details, or system configurations.

Incident Details: The Penalty Notice does not explicitly detail the reconnaissance phase, as Capita was unable to confirm how the malicious JavaScript file (jdmb.js) was downloaded (paragraph 38). It is likely that the threat actor conducted reconnaissance to identify vulnerable devices or accounts, targeting the CAPITA\backupadmin account due to its weak password or susceptibility to Kerberoasting, a technique exploiting Kerberos authentication tickets to extract service account credentials.

2. Weaponization

Description: The attacker creates a malicious payload to target identified vulnerabilities.

Incident Details: The threat actor prepared a malicious JavaScript file (jdmb.js) to deliver Qakbot and Cobalt Strike malware (paragraphs 38, 40), likely designed to exploit weak credentials or Kerberos authentication weaknesses.

3. Delivery

Description: The attacker delivers the malicious payload, often through phishing, drive-by downloads, or network vulnerabilities.

Incident Details: On March 22, 2023, at 07:52, the threat actor gained access by downloading jdmb.js onto an employee device via a suspected drive-by download (paragraphs 38-39).

4. Exploitation

Description: The attacker exploits a vulnerability to execute the payload, gaining a foothold.

Incident Details: The jdmb.js file deployed Qakbot and Cobalt Strike, and by 12:21 on March 22, 2023, the attacker used CAPITA\backupadmin, likely via Kerberoasting, to achieve privilege escalation (paragraphs 40, 42).

5. Installation

Description: The attacker installs persistent malware to maintain access.

Incident Details: Qakbot and Cobalt Strike were installed, with Qakbot recovering usernames and passwords on March 23, 2023 (paragraph 43).

6. Command and Control (C2)

Description: The attacker establishes a communication channel to control the compromised system.

Incident Details: On March 29, 2023, at 17:26, the attacker began exfiltrating data over a C2 channel using SystemBC (paragraph 48).

7. Actions on Objectives

Description: The attacker achieves their objectives, such as data exfiltration or ransomware deployment.

Incident Details:

• Data Exfiltration: Between March 29 and 30, 2023, 974.84GB of data was exfiltrated, impacting 6,656,037 records (paragraphs 50, 55, 61).
• Ransomware Deployment: On March 31, 2023, ransomware affected 59,359 accounts (paragraph 51).

Summary of Capita’s Failures

The Penalty Notice identifies two primary failures, exacerbated by the weak password on CAPITA\backupadmin and Kerberoasting vulnerability:

1. Failure to Prevent Unauthorized Lateral Movement and Privilege Escalation:
   • Issue: Lack of Active Directory tiering and PAM allowed privilege escalation via Kerberoasting of the weak CAPITA\backupadmin password (paragraphs 66, 81, 86).
   • Impact: Enabled progression from Delivery to C2 stages.
   • Kerberoasting and Weak Password: The weak password was easily cracked, amplifying the Kerberoasting vulnerability (paragraph 81(i)).
   • Period: May 25, 2018, to March 31, 2023 (paragraph 8(i)).
2. Failure to Respond Effectively to Security Alerts:
   • Issue: The under-resourced SOC delayed response to a P2 alert for 58 hours, allowing malware installation and exploitation of CAPITA\backupadmin (paragraphs 44, 375(i), 382).
   • Impact: Enabled Installation, C2, and Actions on Objectives.
   • Period: September 1, 2022, to March 31, 2023 (paragraph 8(ii)).

Additional Contextual Failures

• Negligent Risk Management: Capita was aware of SOC deficiencies and the weak CAPITA\backupadmin password but accepted the risks (paragraph 378).
• Inadequate Password Policies and Kerberos Security: Failure to enforce strong passwords or monitor Kerberos tickets enabled Kerberoasting (paragraph 81(i)).
• Inadequate Data Sensitivity Consideration: Capita did not tailor security to sensitive data risks (paragraphs 61, 375(iv)).
• Post-Incident Response: Reactive measures like Active Directory tiering were implemented post-incident, highlighting prior deficiencies (paragraphs 66-68).

Impact of Failures

The weak password and Kerberoasting vulnerability allowed the threat actor to:

• Gain access and escalate privileges via Kerberoasting on March 22, 2023 (paragraph 42).
• Install malware and establish C2 channels (March 22–29, 2023) (paragraphs 43, 48).
• Exfiltrate 974.84GB of data, affecting 6,656,037 individuals (paragraphs 7(viii), 55).
• Deploy ransomware, disrupting 59,359 accounts (paragraph 51).

Conclusion

Capita’s failure to implement appropriate measures, exacerbated by the weak CAPITA\backupadmin password and Kerberoasting vulnerability, allowed the threat actor to progress through the Cyber Kill Chain. The lack of PAM, Active Directory tiering, strong password policies, and timely alert response enabled rapid privilege escalation, data exfiltration, and ransomware deployment. The ICO’s findings emphasize the need for proactive security measures, including robust Kerberos security and credential management, to protect sensitive data.