UK regulator throws the book at Capita for huge 2023 data breach
The UK regulatory body, the Information Commissioner’s Office (ICO), has issued a fine of £14 million ($18.7 million) to Capita, an international outsourcing company, for failing to protect people’s personal information from a data breach.
Capita plc has been fined £8m ($10.7m) and Capita Pension Solutions Limited has been fined £6m ($8m).
The ransomware group Black Basta claimed responsibility for the data breach in March 2023. The stolen personal information included 6.6 million people's pension and staff records, as well as the details of customers of organizations that Capita supports.
For some people, this included sensitive information such as details of criminal records, financial data, or special category data, the ICO said in its statement.
Making it worse, Capita didn’t notice the incident until the end of that March, nine days after its defenses were compromised.
The ICO’s investigation found that Capita had failed to ensure the security of the processing of personal data, which left it at significant risk. The firm was also found to lack the appropriate technical and organizational measures to effectively respond to the attack.
The ICO, which reports directly to the UK Parliament and has a mandate to uphold digital information rights in the public interest, also stresses that any organization detecting a personal data breach must inform it within 72 hours unless the breach does not pose a risk to people’s rights and freedoms.
Capita didn’t do that. In fact, despite a high-priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems.
As our fine shows, no organization is too big to ignore its responsibilities.
UK Information Commissioner John Edwards
“When a company of Capita’s size falls short, the consequences can be significant,” said John Edwards, UK Information Commissioner.
“Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organization is too big to ignore its responsibilities.”
Indeed, Capita Pension Solutions Limited processes personal information on behalf of over 600 organizations providing pension schemes to millions of people. Three hundred and twenty-five of these organizations were impacted by the data breach.
The ICO initially wanted to fine Capita – a 50,000-employee firm that provides business support services to governments and companies – a combined £45 million ($60 million). However, presenting mitigating factors to the regulator softened the financial blow.
Dr. Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society (BCS), doesn't think the fine is adequate. He told Cybernews: "Practically speaking, the fine equates to £2 pounds per victim. Given that highly sensitive data was compromised in this disastrous data breach, it may seem to be a very lenient penalty, to put it mildly."
Black Basta, the threat actor behind the data breach, first appeared in 2022, hitting dozens of companies in its first few weeks.
The ransomware gang is now considered inactive due to a combination of law enforcement action and a massive internal data leak in early 2025.
Unlock more exclusive Cybernews content on YouTube.
