Capita has been fined £14m for its failure to secure personal data, which led to millions of people’s information being stolen after a Black Basta ransomware cyber attack in March 2023.
The Information Commissioner’s Office (ICO), which imposed the fine, said six million people had been affected by the data breach, with the information stolen including pension and staff records and details of Capita’s customers.
The cost of the breach to Capita could rise because thousands of affected individuals are involved in legal action against the outsourcing services provider.
The incident caused major IT outages and had a significant impact on customer-facing services at many public sector bodies and some operators of critical national infrastructure across the UK, with staff left unable to take calls from members of the public and others falling back on traditional pen and paper. A total of 325 organisations, which are customers of Capita, were impacted by the data breach, said the ICO.
The ICO fined Capita plc £8m and Capita Pension Solutions £6m for failing to ensure the security of processing of personal data, which left it at significant risk. It added that the company did not have the “appropriate technical and organisational measures” to respond effectively.
UK information commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”
This fine, and mounting legal proceedings, should be a wake-up call to any firm still playing fast and loose with its customers’ data
Adnan Malik, Barings Law
The ICO initially planned to fine Capita £45m, but the fine was reduced after the business submitted representations and mitigating factors, including improvements it made following the attack, support offered to affected individuals and engagement with other regulators.
The attack began when a malicious file was unintentionally downloaded onto an employee’s device. Capita’s failure to quarantine the device for 58 hours meant the attacker was able to exploit its systems.
Adolfo Hernandez, CEO at Capita said: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance."
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement.”
Adnan Malik, head of data protection at Barings Law, which is undertaking legal action on behalf of thousands of affected individuals against Capita, said the ICO fine represents less than 1% of Capita’s annual revenue, which last year exceeded £2bn.
“It does little to set right the harms caused by the firm’s inadequate cyber security procedures, which led to the loss of highly sensitive data, including benefits and pension records,” added Malik.
The ICO fine is separate to Barings Law’s legal action against Capita, and changes nothing about its ongoing claim,” added Malik. “If anything, we would expect that this will mean our case progresses more quickly.”
He said there are increasing data breaches against major firms, which are incredibly damaging to people’s finances, privacy and trust. “This fine, and mounting legal proceedings, should be a wake-up call to any firm still playing fast and loose with its customers’ data.”
Read more on IT for consulting and business services
