In a landmark decision, the UK’s Information Commissioner’s Office (ICO) has levied a £14 million fine against outsourcing giant Capita for a significant data breach in 2023 that compromised the personal information of 6.6 million individuals. This penalty, divided into £8 million for Capita plc and £6 million for Capita Pension Solutions Limited, stands as one of the most substantial data protection fines in recent UK history.
Incident Overview
The breach originated on March 22, 2023, when an employee inadvertently downloaded a malicious file onto a company device, providing cybercriminals with initial access to Capita’s network. Despite a high-priority security alert triggering within 10 minutes and some automated responses activating, Capita failed to isolate the infected device for 58 hours, far exceeding their one-hour target response time. This delay allowed the attackers to deploy malware, escalate privileges, and move laterally across systems, exfiltrating nearly one terabyte of data between March 29 and 30.
By March 31, ransomware was deployed, resetting user passwords and locking Capita staff out of their systems, which disrupted services for clients, including local councils, the NHS, and pension providers.
Scope of Data Compromised
The stolen data encompassed pension records, staff details, and customer information from over 600 organizations, with 325 pension schemes directly impacted. Sensitive elements included financial data, criminal records, and special category information such as health or ethnic details for some victims. The ICO received at least 93 complaints from affected individuals reporting anxiety and stress over potential identity theft and fraud.
Investigation Findings
The ICO’s investigation uncovered multiple failures in Capita’s data protection practices, violating UK GDPR requirements for secure processing. Notably, Capita lacked a tiered administrative account model, enabling easy privilege escalation and unauthorized network traversal vulnerabilities flagged in prior assessments but unaddressed. Their Security Operations Centre was chronically understaffed, consistently missing response targets for alerts in the months leading up to the attack. Additionally, critical systems handling millions of records underwent penetration testing only at commissioning, with no follow-ups, and findings remained siloed within business units rather than organization-wide. These lapses left vast amounts of personal data exposed to significant risk, amplifying the breach’s scale.
Information Commissioner John Edwards emphasized that Capita failed in its duty to protect the data entrusted to it by millions of people, underscoring the preventable nature of the incident through basic measures like the principle of least privilege and timely alert responses.
Financial Penalty and Remedial Actions
Originally facing a £45 million provisional fine, Capita negotiated it down to £14 million via a voluntary settlement, admitting liability without appeal. Capita offered 12 months of free credit monitoring to affected individuals through Experian, with over 260,000 activations, and established a dedicated support hotline. CEO Adolfo Hernandez acknowledged the event as part of a wave of attacks on UK firms, reaffirming commitments to data security for public and private sector clients.
Regulatory Recommendations
The ICO urged organizations to follow NCSC guidance on preventing lateral movement, conduct regular risk assessments, and prioritize security staffing. With ongoing legal actions from victims, Capita’s total costs may yet rise, emphasizing accountability in an era of escalating ransomware threats.
