The data privacy watchdog the ICO has fined the contract services firm Capita £14m after a breach saw hackers steal 6.6 million people’s info.
That ranged from bank account numbers and sort codes, National Insurance numbers, to biometrics and employee log-in details; pension records (from the firm’s ‘pension solutions’ arm), and staff and customer details. John Edwards, UK Information Commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place. When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities. Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
About the hack
ICO said it provisionally intended to fine the firm £45m. The two agreed a settlement without Capita appealing. A malicious file was unintentionally downloaded onto an employee device in March 2023. Despite a high priority security alert being raised within ten minutes of the breach and some immediate automated action, Capita did not quarantine the device for 58 hours. Meanwhile the attacker was able to deploy malicious software onto the Capita network, so the hacker could stay in the system, gain administrator permissions and access other areas. After nearly one terabyte of data was exfiltrated, ransomware was deployed and the hacker reset all user passwords.
What Capita says
Capita’s revenue according to the plc’s recent results is about £1.1 billion each half year.
Adolfo Hernandez, Chief Executive Officer at Capita said: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies.”
“When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people and wider society.”
