{"id":3283,"date":"2025-10-19T06:03:26","date_gmt":"2025-10-19T06:03:26","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/10\/19\/capita-fined-14m-after-2023-breach-that-hit-6-6-million-people\/"},"modified":"2025-10-19T06:03:26","modified_gmt":"2025-10-19T06:03:26","slug":"capita-fined-14m-after-2023-breach-that-hit-6-6-million-people","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/19\/capita-fined-14m-after-2023-breach-that-hit-6-6-million-people\/","title":{"rendered":"Capita Fined \u00a314m After 2023 Breach that Hit 6.6 Million People"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

Capita will not appeal a \u00a314m regulatory penalty for security failings that led to a 2023 data breach impacting nearly seven million people, according to the\u00a0Information Commissioner\u2019s Office (ICO).<\/p>\n

The UK data protection regulator said it initially intended to fine the outsourcing giant \u00a345m. However, it decided that improvements made by Capita after the attack, support offered to affected individuals, and engagement with other regulators and the National Cyber Security Centre (NCSC) were enough to reduce the penalty by 69%.<\/p>\n

In March 2023, a Capita employee unwittingly downloaded malware to their device after being targeted by a threat actor working with the Black Basta ransomware group.<\/p>\n

Although a \u201chigh priority security alert\u201d was raised within 10 minutes, the device wasn\u2019t quarantined for a further 58 hours, enabling the threat actor to escalate privileges and move laterally to other parts of the network, according to the ICO.<\/p>\n

Nine days after the initial breach, on March 31 2023, ransomware was deployed on the Capita network and the threat actor changed all user passwords, locking employees out.<\/p>\n

Data stolen\u00a0by Black Basta included pension and staff records, and sensitive information belonging to customers of Capital clients \u2013 such as criminal records, financial data and special category data, the ICO said. Over half (325) of the 600 Capita Pension Solutions clients were impacted.<\/p>\n

Last year 8000 claimants brought a High Court case against Capita.<\/p>\n

The company also ran billions of pounds worth of government contracts at the time, for clients including the NHS, HM Prison and Probation Service, the Royal Navy and many others.<\/p>\n

A Catalog of Errors<\/h2>\n

According to the ICO, Capita infringed the UK GDPR by failing to \u201cimplement appropriate technical and organisational measures\u201d such as:<\/p>\n

    \n
  • Failing to prevent privilege escalation and unauthorised lateral movement: There was no \u201ctiering model\u201d (a key tenet of privileged access management) for admin accounts, despite this oversight being flagged on several occasions<\/li>\n
  • Failing to respond appropriately to security alerts: Capita took 58 hours to respond despite a target response time of just one hour, which was partly due to understaffing in its Security Operations Center (SOC)<\/li>\n
  • Inadequate pen testing and risk assessment: Systems processing millions of records were only given one pen test after being commissioned\u00a0and findings were siloed in business units so identified risks weren\u2019t addressed across the business<\/li>\n<\/ul>\n

    Information commissioner, John Edwards, argued that the incident could have been prevented had \u201csufficient security measures\u201d been put in place.<\/p>\n

    \u201cWhen a company of Capita\u2019s size falls short, the consequences can be significant. Not only for those whose data is compromised \u2013 many of whom have told us of the anxiety and stress they have suffered \u2013 but for wider trust amongst the public and for our future prosperity,\u201d he continued.<\/p>\n

    \u201cAs our fine shows, no organization is too big to ignore its responsibilities.\u201d<\/p>\n

    Responding to the news, Capita CEO Adolfo Hernandez stressed the \u201ccybersecurity transformation\u201d that the business has undergone since the incident.<\/p>\n

    \u201cAs a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance,\u201d he said in a statement.\u00a0<\/p>\n

    \u201cFollowing an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today\u2019s settlement.\u201d<\/p>\n

    The ICO urged\u00a0organizations to proactively address security risks by:<\/p>\n