The UK’s Information Commissioner’s Office (ICO) has issued a £14 million fine to Capita, a major provider of business process and professional services, for a significant data breach that occurred in 2023. This incident compromised the personal information of 6.6 million people, including customers of 325 pension scheme providers. The ICO’s investigation found that the breach was a direct result of the company’s inadequate cybersecurity measures. Although the initial fine was set at £45 million, the penalty was reduced after Capita accepted liability, improved its security protocols, and offered data protection services to those affected. The total fine was split between the parent company, Capita plc, which was fined £8 million, and its subsidiary, Capita Pension Solutions Limited, which received a £6 million penalty.
The attack, carried out by the Black Basta ransomware gang, began on March 22, 2023, when a Capita employee downloaded a malicious file. This seemingly simple action allowed the hackers to gain access to the company’s internal network. According to the ICO, although the breach was detected within 10 minutes, Capita failed to isolate the compromised device for 58 hours. This critical delay gave the attackers ample time to move across the network, access sensitive databases, and exfiltrate nearly one terabyte of data between March 29 and 30, 2023. On March 31, the hackers deployed ransomware and reset all user passwords, preventing Capita employees from accessing their systems.
The ICO’s investigation pinpointed several critical security failures at Capita. The company was found to have poor access controls, lacking a tiered administrative account model that could have limited the hackers’ lateral movement. Additionally, its Security Operations Center was understaffed, leading to a delayed response to security alerts. The report also noted that Capita had not performed regular penetration testing or risk management exercises, leaving it vulnerable to such a targeted attack. These failings created the perfect conditions for the breach to escalate and become a major data exposure event.
In response to the incident, Capita’s CEO, Adolfo Hernandez, announced a settlement with the ICO. He highlighted the company’s significant investment in strengthening its cybersecurity stance since the breach. This includes implementing the security improvements that contributed to the reduction of the fine. Hernandez also stated that the payment of the fine is not expected to affect the company’s previously published investor guidance, a point of reassurance for stakeholders following the costly breach and its aftermath.
This incident serves as a stark reminder of the importance of robust cybersecurity practices, especially for companies that handle large volumes of sensitive personal data. Capita provides critical services to a wide range of organizations, including UK local councils, the NHS, and the Ministry of Defense. With 34,000 employees and an annual revenue of £3 billion, the scale of this breach underscores the potential for widespread damage when security protocols are not up to standard. The ICO’s action against Capita sends a clear message that organizations are held accountable for protecting the data they are entrusted with.
Reference:
