-
The UK’s ICO has imposed a £14 million on outsourcing company, Capita, for breaking data protection regulations.
-
The organization’s slow reaction to a 2023 cyberattack led to the exposure of the personal information of 6.6 million people.
-
The incident cost Capita tens of millions, with insurance covering only a fraction of the total expenses.
A top outsourcing firm in the United Kingdom has received a fine amounting to millions of pounds due to a serious cyber breach exposing the private data of millions of people.
The firm simply did not provide the necessary security for the data that people trusted it with. It failed to resolve already known vulnerabilities, which caused a massive data leak.
The Data Breach and Regulatory Response
Capita, a UK outsourcing giant, just got slapped with a £14 million fine for dropping the ball on user data security. This comes following a cyberattack in March 2023, which left about 6.6 million people’s personal info up for grabs, according to a letter of intent from the Information Commissioner’s Office (ICO). Pension scheme members and corporate employees were among those affected.
The UK’s data watchdog, the ICO, led the investigation. It found Capita “failed to ensure the security of processing of personal data.” This failure left the information at significant risk. The breach impacted 325 different pension schemes.
The regulator’s report highlighted critical errors. Known security vulnerabilities had not been fixed. Capita’s security operations center was understaffed. Response times to threats consistently missed internal targets.
The series of events began on March 22, 2023, when a company employee downloaded a malicious file. An automated alert went off just as the alert occurred approximately 10 minutes later. However, the company failed to isolate the compromised machine for 58 hours. This two-day delay was catastrophic.
Attackers used this time to infiltrate systems. They gained administrator rights and stole nearly a terabyte of information. The stolen data was highly sensitive. It included financial details and criminal record information. Hackers also stole special category data, including information about race, religion, and sexual orientation. Some of this data later appeared on the dark web.
Financial Fallout and Industry Impact
The ICO originally proposed a much larger £45 million penalty. It reduced the fine after considering Capita’s improvements. The company invested in new cyber controls and customer support. Its cooperation with the National Cyber Security Center was also a factor. Authorities split the final £14 million fine between two Capita entities.
John Edwards, the UK Information Commissioner, was direct. He said Capita “failed in its duty to protect the data entrusted to it.” Edwards said the breach could have been prevented if the company had implemented proper security measures. He warned that “no organisation is too big to ignore its responsibilities.”
The breach was extremely costly for Capita. The company disclosed net costs of £25.3 million in 2023. Later expenses added millions more. The company reported these figures after receiving the insurance payments. This confirms that its cyber insurance only covered part of the damage. A 2024 report showed a credit of just £0.4 million from insurance recoveries.
The case sets a clear precedent for corporate accountability. Trevor Dearing from Illumio told BBC News, “Companies being held financially accountable for data protection failings is a good thing.” He added, “It sends a message that regulators are serious.”
Capita’s new chief executive, Adolfo Hernandez, responded. He said the company has “hugely strengthened our cybersecurity posture.” Hernandez described Capita as being in the “first wave” of major cyberattacks on large UK companies. The firm offered credit monitoring to those affected. Approximately 260,000 people had initiated the service.
