The outsourcing firm Capita has been fined £14 million for data protection failings after a cyber-attack in March 2023 exposed the personal information of 6.6 million people, including staff and clients’ customers.
The UK Information Commissioner, John Edwards, said the breach caused significant anxiety and stress for those affected. Capita discovered the attack within 10 minutes but did not shut down the targeted device for 58 hours, allowing hackers to steal nearly 1 terabyte of data, deploy ransomware, and reset user passwords. Sensitive information included financial data, criminal records, and special category data such as race, religion, and sexual orientation.
The fine includes £8 million for Capita and £6 million for Capita Pension Solutions. An initial proposed fine of £45 million was reduced after Capita demonstrated improvements to its cybersecurity and cooperation with regulators and the National Cyber Security Centre.
The investigation found that prior to the attack, Capita failed to fix known vulnerabilities, had an understaffed security operations centre, and conducted inadequate testing of defences despite handling millions of sensitive records.
Capita’s chief executive, Adolfo Hernandez, said: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies.”
Andy Ward, SVP International at Absolute Security commented: “The Capita breach highlights the critical importance of identifying and remediating cyber incidents immediately, every hour of delay multiplies the potential damage. Our research shows that 48% of UK CISOs believe the country has a poor cyber resilience strategy, highlighting how urgent this issue has become.”
“True resilience isn’t just about prevention or compliance, it’s about ensuring organisations can withstand and rapidly recover from attacks while minimising downtime and disruption. Cyber resilience must be embedded across every layer of the business, so leaders are prepared for the inevitable.”