Capita secures 70% cut in data breach fine to pay £14m

Outsourcing giant Capita – whose clients span both public and private sector – has agreed to pay a £14m fine for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.

The move, which means the company has vowed not to appeal the decision, still represents a near 70% reduction on the Information Commissioner’s Office £45m “notice of intent” after the regulator said Capita had “submitted representations and mitigating factors on the provisional decision”.

This included the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.

The ICO maintains that the fine still shows that “no organisation is too big to ignore its responsibilities”.

The cyber-attack took place in March 2023, when a malicious file was unintentionally downloaded onto an employee device. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems.

This file enabled the deployment of malicious software onto the Capita network, allowing the hacker to stay in the system, gain administrator permissions and access other areas of the network. Between March 29 and 30 2023, nearly one terabyte of data was exfiltrated.

On March 31 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network.

The personal information of 6.6 million people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data.

The company’s clients include the Ministry of Defence, the Department of Work & Pensions, Transport for London and TV Licensing as well as Virgin Media O2 and ScottishPower.

Capita Pension Solutions processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.

The ICO’s investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack.

Capita plc has been hit with a £8m monetary penalty and Capita Pension Solutions with a £6m fine, giving a combined total of £14m.

UK Information Commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.

“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.

“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber-attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”

The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the decision and admitted liability, agreeing to pay a final penalty of £14m without appealing.

Photo credit: WEU Product PR

Capita secures 70% cut in data breach fine to pay £14m

Be the first to comment on "Capita secures 70% cut in data breach fine to pay £14m"

Leave a comment Cancel reply