Capita fined £14 million for data breach affecting over six million people

The cyber attack took place in March 2023. The personal information of 6.6 million people was stolen, from pension records and staff records through to the details of customers of organisations Capita supports. For some individuals, this included sensitive information such as details of criminal records, financial data or special category data.

Capita Pension Solutions Limited processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.

The ICO’s investigation found that Capita had failed to ensure the security of processing of personal data which left that data at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack.

John Edwards, the UK’s Information Commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of individuals. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”

Edwards continued: “When a company of Capita’s size falls short, the consequences can be significant, not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but also when it comes to wider trust among the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”

Further, Edwards noted: “Maintaining good cyber security is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either. Taking action today could prevent the worst from happening tomorrow.”

Provisional intention

The ICO initially informed Capita of its provisional intention to fine the company a combined total of £45 million. Capita then submitted representations and mitigating factors on the provisional decision, which were then carefully considered by the ICO. This included the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.

The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the ICO’s decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing.

Cyber attack 

The cyber attack began when a malicious file was unintentionally downloaded to an employee device on 22 March 2023. Despite a high priority security alert being raised within ten minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which time the attacker was able to exploit its systems.

This file enabled the deployment of malicious software on the Capita network, allowing the hacker to stay in the system, gain administrator permissions and access other areas of the network. Between 29 and 30 March 2023, nearly one terabyte of data was exfiltrated.

On 31 March 2023, ransomware was deployed on Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network. The ICO subsequently received at least 93 complaints in relation to this attack.

Summary of contraventions 

The ICO’s investigation found that Capita failed to implement appropriate technical and organisational measures in order to safeguard the data being held. This included:

*Failure to prevent privilege escalation and unauthorised lateral movement:

Capita did not implement a tiering model for administrative accounts. This allowed the attacker to escalate privileges, move laterally across multiple domains and compromise critical systems. These failings were flagged as a vulnerability on at least three separate occasions, but were not remedied.

*Failure to respond appropriately to security alerts:

A high priority security alert was raised within ten minutes of the breach, but Capita took 58 hours to respond appropriately against a target response time of one hour. Capita’s Security Operations Centre was understaffed, and during at least six months before the incident fell well below the target response times for responding to security alerts.

*Inadequate penetration testing and risk assessment:

Systems processing millions of records, including some sensitive data, were only subject to a penetration test upon being commissioned and were not subject to any subsequent penetration test. Findings from penetration tests were siloed within business units. Risks identified that affected the wider Capita network were not universally addressed.

Proactive steps 

This investigation highlights key areas where organisations should be taking proactive steps to reduce security risks, such as:

*Following National Cyber Security Centre guidance on preventing lateral movement and ensuring that the ‘principle of least privilege’ is applied across the organisation

*Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner

*Sharing the findings from penetration testing across the whole organisation so that risks can be universally addressed

*Prioritising investment in key security controls to ensure that they’re operating effectively

*Checking agreements and responsibilities between data controllers and data processors

Response from Capita

Capita offered 12 months of credit monitoring to affected customers with Experian, as well as setting up a dedicated Call Centre for those individuals. The business provided weekly updates for the ICO on uptake, with over 260,000 people determining to action the credit monitoring service.

Adolfo Hernandez, CEO at Capita, said: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first to suffer in the recent wave of highly significant cyber attacks on large UK companies.”

Hernandez continued: “When I joined as CEO the year after the attack, I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cyber security posture, built advanced protections and embedded a culture of continuous vigilance.”

In addition, Hernandez noted: “Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and to have reached a settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people and, indeed, the wider society.”

Industry comment

Andy Ward, senior vice-president for international business at Absolute Security, informed Security Matters: “The Capita breach highlights the critical importance of identifying and remediating cyber incidents immediately. Every hour of delay multiplies the potential damage. Our research shows that 48% of UK Chief Information Security Officers believe the country has a poor cyber resilience strategy, in turn highlighting how urgent this issue has become.”

Ward added: “True resilience isn’t just about prevention or compliance. It’s also about ensuring organisations can withstand and rapidly recover from attacks, while minimising downtime and disruption. Cyber resilience must be embedded across every layer of the business. Leaders need to be prepared for the inevitable.”