The UK’s Information Commissioner’s Office (ICO) has fined Capita a total of £14 million for severe security failures that led to a data breach in 2023, exposing the sensitive personal data of over 6.6 million individuals.
The breach, caused by a preventable cyberattack, impacted hundreds of pension schemes and revealed systemic cybersecurity shortcomings at one of the UK’s largest outsourcing firms.
Founded in 1984, Capita is one of the UK’s largest business process outsourcing (BPO) and professional services companies, with over 50,000 employees. It operates across multiple sectors, including pensions administration, IT services, education, and healthcare. The company handles vast amounts of sensitive information for both public and private sector clients.
The fine follows a detailed investigation into a March 2023 incident where hackers infiltrated Capita’s systems, exfiltrated nearly one terabyte of data, and deployed ransomware, locking out employees from key systems. The stolen data included staff records, pension details, financial information, criminal records, and other special category data.
The ICO issued two separate penalties: £8 million to Capita plc and £6 million to Capita Pension Solutions Limited. Capita Pension Solutions, a subsidiary of Capita plc, processes pension data on behalf of more than 600 organisations, 325 of which were directly affected by the breach.
The ICO’s findings paint a picture of prolonged neglect. Capita had repeatedly failed to address known vulnerabilities that allowed attackers to escalate privileges and move laterally across domains after the breach began on 22 March 2023. A malicious file was downloaded onto an employee's device, triggering an automated alert within 10 minutes. However, it took Capita 58 hours to isolate the compromised device, allowing the attackers to deploy malware, gain admin-level access, and extract sensitive data between 29 and 30 March.
On 31 March, the attackers launched ransomware and reset all user passwords, effectively locking Capita out of its own systems. The ICO received at least 93 formal complaints regarding the incident.
Key findings from the ICO investigation include:
- Capita failed to implement a tiered admin account model, despite internal flags raised on at least three occasions.
- Capita’s target response time for high-priority alerts was one hour, yet the compromised system went unquarantined for over two days. Understaffing in the Security Operations Center contributed to delays.
- Critical systems were tested only once, at commissioning, and findings were not shared across teams, allowing organisation-wide risks to remain unmitigated.
The ICO initially proposed a £45 million fine, but this was reduced following Capita’s representations, acknowledgment of liability, and steps taken to mitigate the impact. These included offering 12 months of credit monitoring through Experian and establishing a dedicated support line for affected individuals. Over 260,000 people have activated the credit monitoring service thus far, according to the agency.
In a statement following the announcement, Capita Chief Executive Officer Adolfo Hernandez said:
“As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies.
When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.
Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people and wider society.”
Leave a Reply