.jpeg)
Outsourcing giant Capita has been fined £14m by the Information Commissioner’s Office (ICO) for failing to protect personal data after hackers stole 6.6 million people’s information during a cyber attack in 2023.
The data watchdog confirmed the March 2023 breach exposed a wide array of personal information, including pension details, staff records, and customer data from organisations supported by Capita.
Crucially, this also encompassed highly sensitive categories such as criminal records, financial details, and 'special category data' covering race, religion, and sexual orientation.
The ICO apportioned the fine, with £8m levied against Capita and £6m for Capita Pension Solutions. The latter, processing data for over 600 pension schemes, saw 325 associated organisations also affected by the breach.
John Edwards, UK information commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people.
“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
The ICO said Capita had failed to ensure the security of processing of personal data, which left it at “significant risk”, adding that the company also lacked “appropriate technical and organisational measures to effectively respond to the attack”.
The ICO had initially proposed a combined fine of £45m, but said this was reduced as part of a voluntary settlement and as it took into account actions by Capita following the hack to improve its systems, offer support to those impacted and engage with cyber authorities and regulators.
Capita said: “We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”
Capita chief executive Adolfo Hernandez, who took on the role in 2024, said the firm was “among the first in the recent wave of highly significant cyber attacks on large UK companies”.
He added: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment.
“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
Capita has already taken a heavy financial hit from the cyber attack, estimating in the summer of 2023 that it could cost it up to £25m as it forked out for specialist professional fees, recovery and remediation costs and investments in its cyber security.
This was before taking into account any potential fines.
The ICO said the attack began when a malicious file was unintentionally downloaded onto an employee’s device on March 22 2023.
“Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems,” the ICO added.
The target response time is one hour, according to the ICO.
The hacker was then able to stay in the system, gain administrator permissions and access other areas of the network before deploying ransomware onto Capita’s systems on March 31, resetting all user passwords and stopping Capita employees from accessing their systems and network.
It came amid a spate of cyber incidents in 2023, with high street retailer WH Smith suffering its second hack in less than a year in March of that year and Royal Mail’s international postal service suffering lengthy disruption after hackers targeted the group.
This year has been another year of high profile cyber attacks, with Jaguar Land Rover still recovering from a damaging hack just months after Marks & Spencer was badly hit.
.jpg?trim=0,0,0,0&width=1200&height=800&crop=1200:800)
.jpeg)
English (US) ·