The Information Commissioner’s Office (ICO) in the UK has fined Capita, a provider of data-driven business process services, £14 million ($18.7 million) for a data breach incident in 2023 that exposed the personal information of 6.6 million people.
Capita is a major UK-based outsourcing and professional services company that provides consulting, digital, and software services to local councils, the NHS, the Ministry of Defense, and organizations in the banking, utilities, and telecommunications sectors.
With around 34,000 employees and an annual revenue of £3 billion, Capita’s clients are mostly in the UK and Europe.
Hundreds of retirement plan providers impacted
The ICO had initially set the fine to a much larger £45 million, but the agency decided to reduce the penalty after the company accepted liability, implemented important security improvements, and offered data protection services to exposed individuals.
The data protection authority fined Capita plc £8 million and Capita Pension Solutions Limited received a penalty of £6 million.
The ICO’s investigation has now confirmed that the stolen data impacts 6.6 million people, and hundreds of Capita clients, including 325 pension scheme providers in the UK.
In April 2023, the company announced that it had been targeted by hackers who attempted access to its internal Microsoft 365 environment, forcing some systems offline as part of its response.
An update three weeks later confirmed that hackers had accessed 4% of Capita’s internal IT infrastructure, and exfiltrated private files hosted on the breached systems.
The Black Basta ransomware gang claimed the attack and threatened to leak all stolen files unless the company paid a ransom.
Hackers had access for 58 hours
The cyberattack occurred on March 22, 2023, when a Capita employee downloaded a malicious file that gave hackers access to the company’s internal network.
The ICO comments that, even though the breach was detected within 10 minutes, Capita failed to isolate the infected device for another 58 hours, giving the attackers ample time to move laterally, spread on the network, and access sensitive databases.
“This file enabled the deployment of malicious software onto the Capita network, allowing the hacker to stay in the system, gain administrator permissions and access other areas of the network,” Information Commissioner’s Office
“Between 29 and 30 March 2023, nearly one terabyte of data was exfiltrated. On 31 March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network,” states UK’s data protection authority.
Capita is now fined for poor access controls (absence of tiered admin account model), delayed response to security alerts, operating an understaffed Security Ops Center, and failing to perform regular penetration testing and risk management exercises.
Capita’s CEO Adolfo Hernandez announced the settlement with ICO, underlining the effort and investment that has gone into strengthening the firm’s cybersecurity stance since the incident.
The executive also noted that they do not expect the payment of the fine to have an impact on previously published investor guidance.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
