Outsourcing megafirm Capita has been stung with a £14 million penalty by the Information Commissioner’s Office (ICO). This penalty follows from the significant cyber-attack in March 2023 that compromised the personal information of nearly 6.6 million individuals. The scale of the attack has laid waste to Capita’s reputation. It also posed huge challenges for the management of over 600 pension funds the company manages.
The breach happened when hackers took advantage of unsecured data on the internet, which allowed them to penetrate 325 pension schemes. The incident led to a deeper investigation by the ICO. They determined that Capita had failed to implement sufficient security controls to safeguard personal data. The watchdog’s first price had been £45 million. After my negotiations and discussions with them, they brought it down to £14 million.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” stated Information Commissioner John Edwards. He emphasized that “the scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
In answer to the breach, Capita has stated that it has taken extensive steps to improve its cyber-security measures. The company engaged with other regulatory bodies and collaborated with the National Cyber Security Centre (NCSC) to address the vulnerabilities identified during the attack. Furthermore, Capita has offered support services to those affected by the data theft, demonstrating a commitment to mitigating the fallout from this incident.
The outsourcer announced record revenues of £2.4 billion last year. This robust financial performance will likely soften the blow of the fine, but given its cost, the fine is quite severe. Adolfo Hernandez, a representative from Capita, expressed satisfaction with the resolution of the case, stating that he is “pleased to have concluded this matter and reached today’s settlement.”
The NCSC has previously recorded a huge increase in attacks deemed nationally important this year. This recurring issue exemplifies why it’s critical that Fortune 1000 companies improve their cybersecurity protections. The number of data breaches has increased dramatically. Consequently, companies such as Capita are under heightened scrutiny to protect sensitive data from hostile actors.