The UK’s Information Commissioner’s Office (ICO) has imposed a £14 million fine on outsourcing giant Capita following a major cyber attack in 2023 that exposed the personal data of 6.6 million individuals.
This penalty, split as £8 million to Capita plc and £6 million to Capita Pension Solutions Limited, marks one of the largest data protection fines in recent UK history.
The breach highlighted critical shortcomings in corporate cybersecurity, affecting pension schemes and sensitive personal information across hundreds of organizations.
The incident unfolded on March 22, 2023, when an employee unwittingly downloaded a malicious file onto a company device, granting hackers initial access to Capita’s network.
Despite a high-priority security alert triggering within 10 minutes and some automated responses activating, Capita failed to isolate the infected device for 58 hours, far exceeding their one-hour target response time.
This delay allowed the attackers to deploy malware, escalate privileges, and move laterally across systems, exfiltrating nearly one terabyte of data between March 29 and 30.
By March 31, ransomware was deployed, resetting user passwords and locking Capita staff out of their systems, which disrupted services for clients, including local councils, the NHS, and pension providers.
Capita Data Breach Exposes Sensitive Data
The stolen data encompassed pension records, staff details, and customer information from over 600 organizations, with 325 pension schemes directly impacted.
Sensitive elements included financial data, criminal records, and special category information such as health or ethnic details for some victims.
The ICO received at least 93 complaints from affected individuals reporting anxiety and stress over potential identity theft and fraud.
The ICO’s probe uncovered multiple failures in Capita’s data protection practices, violating UK GDPR requirements for secure processing.
Notably, Capita lacked a tiered administrative account model, enabling easy privilege escalation and unauthorized network traversal vulnerabilities flagged in prior assessments but unaddressed.
Their Security Operations Centre was chronically understaffed, consistently missing response targets for alerts in the months leading up to the attack.
Additionally, critical systems handling millions of records underwent penetration testing only at commissioning, with no follow-ups, and findings remained siloed within business units rather than organization-wide.
These lapses left vast amounts of personal data exposed to significant risk, amplifying the breach’s scale.
Information Commissioner John Edwards emphasized that “Capita failed in its duty to protect the data entrusted to it by millions of people,” underscoring the preventable nature of the incident through basic measures like the principle of least privilege and timely alert responses.
Originally facing a £45 million provisional fine, Capita negotiated it down to £14 million via a voluntary settlement, admitting liability without appeal.
Capita offered 12 months of free credit monitoring to affected individuals through Experian, with over 260,000 activations, and established a dedicated support hotline.
CEO Adolfo Hernandez acknowledged the event as part of a wave of attacks on UK firms, reaffirming commitments to data security for public and private sector clients.
The ICO urged organizations to follow NCSC guidance on preventing lateral movement, conduct regular risk assessments, and prioritize security staffing.
With ongoing legal actions from victims, Capita’s total costs may yet rise, emphasizing accountability in an era of escalating ransomware threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
