Capita Fined £14M Over Massive Data Breach Affecting 6.6M People

UK outsourcing giant Capita has been fined £14 million by the Information Commissioner’s Office (ICO) following a major cyber-attack in March 2023 that compromised the personal data of 6.6 million people. The ICO concluded that Capita failed to address known security vulnerabilities, allowing hackers to steal almost a terabyte of sensitive data.

The breach affected 325 pension schemes and multiple clients across both public and private sectors.

Capita detected the intrusion within 10 minutes but left the compromised device online for 58 hours, enabling hackers to install ransomware and lock out staff.

An initial proposed fine of £45 million was reduced after Capita cited mitigating actions and improved security infrastructure.

Why It Matters: This breach and the subsequent fine are timely, as numerous high-impact cyber-attacks have impacted UK companies within the last few months. As threats continue to intensify, regulators are sending a clear message that these large organizations must implement proactive data protection measures or face serious financial and reputational consequences.

• Breach Impact and Scope: In March 2023, Capita was targeted by a cyber-attack that resulted in the theft of sensitive data affecting 6.6 million individuals, including pension records, criminal histories, and financial information. The data of employees and customers from over 325 pension schemes was compromised, with some info appearing later on the dark web.

• Security Failures Identified: Capita’s systems detected the breach within 10 minutes of a malicious file being downloaded, but the company failed to shut down the affected device for 58 hours. During this window, attackers were further able to compromise security and exfiltrate nearly one terabyte of data. The ICO’s investigation revealed that Capita’s slow response and failure to isolate the breach directly contributed to the scale and impact of the data loss.

• Infrastructure and Inadequate Preparedness: The ICO found Capita’s cybersecurity posture insufficient for a company of its size and responsibility. Before the attack, Capita had not patched known software vulnerabilities, had an understaffed security operations center, and conducted inadequate testing of its cybersecurity. These weaknesses left the infrastructure exposed, affecting the data of 325 pension schemes the company manages.

• Fine Was Reduced Due to Mitigations and Cooperation: The ICO initially proposed a fine of £45 million to reflect the impact of the breach. However, it was reduced to £14 million after Capita demonstrated its improvements to the cybersecurity environment in the incident’s aftermath. These included engaging the National Cyber Security Centre (NCSC), conducting forensic investigations, contacting affected individuals, and investing in updated systems and security leadership. The fine still reinforces the gravity of Capita’s missteps as it ranks among the largest imposed by the ICO.

• Broader Rise in High-Profile UK Cyber Attacks and Regulatory Scrutiny: Capita’s breach is part of a growing pattern of major UK organizations falling victim to cyber threats, alongside companies like M&S, Harrods, and Jaguar Land Rover. The NCSC recently reported that nationally significant cyber-attacks more than doubled over the past year. In response, UK authorities are urging businesses to have paper-based contingency plans in place and to elevate cybersecurity from a technical concern to a board-level priority.

Go Deeper -> Outsourcing firm Capita fined £14m after millions had data stolen – BBC

Capita fined £14mn over theft of personal data in cyber attack – Financial Times

Capita fined £14m for data protection failings in 2023 cyber-attack – The Guardian