The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people.
The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million.
The breach compromised sensitive data belonging to millions of people, including pension records, staff information, and customer details from over 600 organisations that Capita supports.
For many victims, the stolen information included financial data, criminal records, and other sensitive personal details.
The attack particularly affected pension scheme providers, with 325 organisations experiencing data exposure through Capita Pension Solutions Limited.
How the Attack Unfolded
The cyber attack started when an employee accidentally downloaded a malicious file on March 22, 2023.
Although Capita’s security systems raised a high-priority alert within just 10 minutes, the company waited 58 hours before quarantining the infected device.
This critical delay gave hackers plenty of time to spread malicious software throughout the network, gain administrator access, and move freely between systems.
Between March 29 and 30, attackers managed to steal nearly one terabyte of data from Capita’s systems.
On March 31, they deployed ransomware and reset all user passwords, effectively locking Capita staff out of their own network. The ICO received at least 93 complaints from people affected by this security failure.
The ICO’s investigation uncovered serious weaknesses in Capita’s security practices.
The company failed to implement proper controls for administrative accounts, allowing hackers to escalate their privileges and access critical systems across multiple domains.
This vulnerability had been identified on three separate occasions before the attack but was never fixed.
Capita’s Security Operations Centre was also understaffed and frequently missed its target response time of one hour for security alerts.
For at least six months before the incident, the team consistently failed to meet these important deadlines.
Additionally, the company only performed penetration testing when systems were first set up and never conducted follow-up tests, even for systems handling millions of sensitive records.
The ICO originally planned to fine Capita £45 million but reduced the penalty to £14 million after considering the company’s response.
Capita offered affected customers 12 months of free credit monitoring through Experian and established a dedicated call centre for support. Over 260,000 people activated the credit monitoring service.
UK Information Commissioner John Edwards emphasized that organizations of all sizes must take cybersecurity seriously.
He stated that the breach’s scale could have been prevented with proper security measures in place, and that cyber criminals don’t wait, so businesses cannot afford to delay protecting customer data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
