Capita Fined £14M for Breach Exposing 6.6M Users’ Data

The Information Commissioner’s Office (ICO) has levied a £14 million penalty against Capita plc and its subsidiary, Capita Pension Solutions Limited (CPSL), following a significant data breach in March 2023 that compromised the personal information of approximately 6.6 million individuals.

The fine, split into £8 million for Capita plc as a data controller and £6 million for CPSL as a data processor, represents a voluntary settlement after Capita acknowledged liability and agreed not to appeal.

Scope and Sensitivity of Compromised Data

In March 2023, a malicious file downloaded onto an employee’s device enabled cybercriminals to infiltrate Capita’s network. Although an automated alert was triggered within ten minutes, the infected device was not quarantined for 58 hours.

During this period, attackers escalated privileges, moved laterally across multiple domains and exfiltrated nearly one terabyte of data between 29 and 30 March. By 31 March, ransomware was deployed and user passwords reset, effectively locking Capita staff out of their own systems.

• Approximately 6.6 million individuals’ pension and staff records exposed.
• Nearly 1 TB of data exfiltrated over two days.
• A 58-hour delay before quarantine of the infected device.
• At least 93 formal complaints received by the ICO.
• 600+ client organisations processed by CPSL, with 325 impacted.

Stolen records encompassed pension schemes, staff details and customer information for organisations served by Capita. In some cases, sensitive categories such as criminal history, financial data and special category data were also exposed.

CPSL alone handles personal information on behalf of over 600 clients, 325 of which had members affected by the breach. The ICO received at least 93 formal complaints related to the incident.

Failures in Security Controls and Incident Response

An ICO investigation identified multiple contraventions of UK GDPR requirements. First, Capita lacked a tiered administrative account model, enabling privilege escalation and unauthorised lateral movement—weaknesses flagged three separate times but never remediated.

Second, response times to security alerts fell far short of targets: a critical warning was ignored for 58 hours versus the one-hour goal, partly due to chronic understaffing in the Security Operations Centre.

Third, penetration testing and risk assessments were insufficient. Systems processing millions of records underwent testing only upon commissioning, with no follow-up tests thereafter. Moreover, findings remained siloed, preventing organisation-wide remediation of identified vulnerabilities.

• No tiering model for administrative accounts, allowing lateral movement.
• Critical alert response time target of one hour missed by 57 hours.
• Security Operations Centre understaffed and slow to act.
• Penetration tests conducted only once, with no regular retesting.
• Vulnerability findings not shared across business units.

ICO Commissioner John Edwards emphasised that “the scale of this breach and its impact could have been prevented had sufficient security measures been in place,” and warned that “no organisation is too big to ignore its responsibilities.”

He underscored that maintaining robust cybersecurity is fundamental to both public trust and economic security.

Mitigations and Wider Implications

Following provisional notification of a £45 million fine, Capita submitted representations highlighting post-breach improvements, support provided to affected individuals and collaboration with regulators, including the National Cyber Security Centre.

Capita has offered 12 months of free credit monitoring through Experian, with over 260,000 activations, and established a dedicated call centre for victims.

The breach serves as a cautionary tale for organisations handling large volumes of personal data. The ICO recommends adhering to the National Cyber Security Centre’s guidance on preventing lateral movement, enforcing the principle of least privilege, maintaining timely alert responses, sharing penetration-test findings across units and investing proactively in key security controls.

Data controllers and processors should also clarify responsibilities in their contracts to ensure robust protection of individuals’ information.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Capita Fined £14M for Breach Exposing 6.6M Users’ Data appeared first on Cyber Security News.