The company’s submissions cited its ‘very small margins’ and claimed it was being ‘held to an alternative standard’ to its peers, but the regulator has still imposed a big fine
Major government supplier Capita has been hit with a £14m fine over a 2023 cyberattack in which the personal information of 6.6 million people was stolen.
The penalty was imposed by the Information Commissioner’s Office despite the company’s submissions arguing that it should treated in the same way as its public-sector customers – organisations which the regulator tends to avoid penalising financially. Capita also made representations for its fine to be reduced on account of its “very small margins” and claimed that it “held to an alternative standard” compared with similar cases – an assertion which the commissioner did not accept.
The incident in question was sparked by the unintentional download of a malicious file onto a Capita employee’s device in March 2023. Within 10 minutes of this, a “high-priority security alert” was raised – but “Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems”, according to the ICO. The firm’s target response time for taking this kind of mitigating action is one hour.
During the more than two-day period in which the machine remained connected to the wider network, almost one terabyte of data was stolen, including personal details contained in pension files and staff records. Some 6.6 million people across 325 organisations were impacted. Subsequently, attackers implemented ransomware and “reset all user passwords, preventing Capita staff from accessing their systems and network”, the regulator said.
About half of the outsourcer’s roster of customers for which it manages pension schemes – which includes many public bodies, encompassing central government, local authorities, NHS organisations and police services – were affected by the breach.
Given the firm’s role in supporting these public-services providers, its representations during the ICO’s considerations suggested that the watchdog should apply its public-sector approach – a model which has been in place since 2022 and in which the regulator typically avoids finding public bodies, instead issuing more formal public reprimands urging improvements in data-protection practices.
“Although Capita states that the profit margin from Capita’s public sector work is modest, Capita is nevertheless a commercial business which exists to make a profit,” the ICO said in its full penalty notice, which also noted that company is a large business “with a variety of clients including those in the private sector”.
“It is clear that the commissioner’s public-sector approach is not intended to be applied to organisations such as Capita… and therefore will not be applied to the proposed penalties,” the notice added.
£14m
Total penalty issued, reduced from an original proposal of £45m
325
Capita customers affected by the attack, potentially including numerous public bodies
6.6 million
Number of individuals whose data was compromised
58 hours
Length of time it took Capita to quarantine an infected device, against a target response time of one hour
In arguing for a significant reduction in the ICO’s planned penalty – which was originally slated at £45m – Capita also told the regulator that it is “a very small-margins business”, and suggested that “appears to have been held to an alternative standard to other similar businesses that have suffered comparable or serious cyber incidents”.
The watchdog’s notice responded: “Each incident that is reported to the commissioner, whether cyber or otherwise, is considered on its own facts. The commissioner is entitled to exercise his discretion as to which matters to investigate and when to take enforcement action. Each case will have different circumstances, and therefore different factors to take into consideration in relation to potential infringements and, if necessary, consideration for a penalty… In respect of the investigation into Capita, the commissioner considers there to be sufficient evidence to justify the infringement findings… and that, in all the circumstances the penalties against Capita… are proportionate, effective and dissuasive.”
While the initially proposed fine has been reduced by more than two thirds, an eight-figure punishment has still been imposed on the company – including an £8m penalty levied on the parent company Capita Plc and a £6m fine for specialist subsidiary Capita Pension Solutions Limited. Despite the arguments it made during the ICO’s considerations, Capita has agreed to this total penalty as a “voluntary settlement”, the watchdog indicated.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” said information commissioner John Edwards. “The scale of this breach and its impact could have been prevented had sufficient security measures been in place. When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”
He added: “Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyberattacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cybercriminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
Testing times
The ICO’s investigation identified a number ways in which, prior to the attack, Capita had not taken sufficient steps to protect the customer data it holds and processes.
This includes a “failure to prevent privilege escalation and unauthorised lateral movement… [which] allowed the attacker to escalate privileges, move laterally across multiple domains and compromise critical systems”.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
Information commissioner John Edwards
“These failings were flagged as a vulnerability on at least three separate occasions but were not remedied,” the ICO added.
The firm also showed “failure to respond appropriately to security alerts” and ran a security operations centre that “was understaffed, and in at least six months before the incident, fell well below the target response times for responding to security alerts”.
Another major issue was “inadequate penetration testing and risk assessment”. Even when tests have been conducted “findings… were siloed within business units [and] risks identified that affected the wider Capita network were not universally addressed”.
In an update posted on its website and issued on the London Stock Exchange, where it is listed, Capita expressed its regret over the incident and said that “following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack”.
The firm’s chief executive Adolfo Hernandez added: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyberattacks on large UK companies. When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance. Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement. The Capita team continues to focus tirelessly on our group transformation journey for the benefit of our customers, our people and wider society.”
