Capita Fined £14 Million for 2023 Data Breach Affecting 6.6 Million People

Key Takeaways

• Record Fine for Data Failings: The UK Information Commissioner’s Office fined Capita and its pensions arm a combined £14 million for the 2023 cyberattack that compromised 6.6 million people’s data.
• Delayed Response Worsened Breach: Although an alert was raised within ten minutes, Capita took 58 hours to quarantine the infected device, allowing hackers to steal nearly one terabyte of data.
• Systemic Security Failures: The ICO found multiple failings, including weak privilege controls, outdated penetration testing, and an understaffed security operations team.
• Reduced from £45 Million: The ICO initially proposed a £45 million penalty but accepted a voluntary settlement after Capita acknowledged liability and implemented corrective actions.
• Regulator’s Warning to All Businesses: Information Commissioner John Edwards warned that no organisation is too big to ignore cybersecurity, stressing that “taking action today could prevent the worst from happening tomorrow.”

Deep Dive

The UK Information Commissioner’s Office (ICO) has fined outsourcing giant Capita and its pensions subsidiary a combined £14 million for failing to protect personal data in a 2023 cyberattack that exposed the information of 6.6 million people.

Capita plc was fined £8 million, while Capita Pension Solutions Limited received a £6 million penalty. The ICO said both entities “failed to ensure the security of processing of personal data,” leaving millions at risk of identity theft, fraud, and long-term anxiety.

The cyberattack occurred in March 2023, when a malicious file was unintentionally downloaded onto an employee’s device. Although a high-priority alert was raised within ten minutes, Capita took 58 hours to quarantine the affected device, giving the attacker ample time to infiltrate the network.

During that window, the hacker gained administrator permissions and moved laterally across systems, ultimately stealing nearly one terabyte of data between 29 and 30 March 2023. The stolen files included pension and staff records, as well as sensitive information such as financial data, criminal record details, and special category data.

The breach impacted 325 pension scheme clients and over 600 organisations using Capita’s pension services.

ICO Findings

The ICO’s investigation revealed a series of failings at Capita, including:

• Weak privilege controls: The company failed to implement a tiered model for administrative accounts, allowing the attacker to escalate privileges and access critical systems. This vulnerability had been identified at least three times before but was never fixed.
• Delayed response: Capita’s internal security team took more than two days to act on an alert that should have been resolved within an hour. The Security Operations Centre was also chronically understaffed and regularly missed response time targets.
• Inadequate penetration testing: Systems containing millions of personal records were only tested upon launch and not re-tested thereafter. Findings from individual tests were siloed, meaning organisation-wide vulnerabilities went unaddressed.

Information Commissioner John Edwards said the case was a stark reminder of the consequences of poor cyber hygiene.

“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” Edwards said. “When a company of Capita’s size falls short, the consequences can be significant — not only for those affected but for public trust more broadly. Our message is clear: no organisation is too big to ignore its responsibilities.”

Penalty and Settlement

The ICO initially informed Capita of its intention to issue a £45 million penalty. However, after considering the company’s remedial measures, cooperation with authorities, and support for victims, the ICO accepted a voluntary settlement of £14 million.

Capita acknowledged the decision and admitted liability, agreeing not to appeal. Following the breach, the company offered 12 months of Experian credit monitoring to affected individuals and set up a dedicated call centre to manage concerns, with over 260,000 people enrolling in the service.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.