The Information Commissioner’s Office (ICO) in the UK has fined Capita, a provider of data-driven business process services, £14 million ($18.7 million) over a data breach incident in 2023 that exposed the personal information of 6.6 million people.
Capita is a leading UK-based outsourcing and professional services company providing consulting, digital and software services to local councils, the NHS, the Ministry of Defence, and organizations in the banking, utilities and telecommunications sectors.
With approximately 34,000 employees and annual revenues of £3 billion, Capita’s clients are mostly in the UK and Europe.
Hundreds of retirement plan providers affected
The ICO had initially set the fine at more than £45 million, but the agency decided to reduce the fine after the company admitted liability, implemented significant security improvements and offered data protection services to exposed individuals.
The Data Protection Authority fined Capita PLC £8 million and Capita Pension Solutions Ltd was fined £6 million.
The ICO’s investigation has now confirmed that the stolen data affected 6.6 million people and hundreds of thousands of Capita customers, including 325 pension plan providers in the UK.
In April 2023, the company announced that it was targeted by hackers who attempted to access its internal Microsoft 365 environment, taking some systems offline in response.
An update three weeks later confirmed that hackers had accessed 4% of Capita’s internal IT infrastructure, and exfiltrated private files hosted on the breached systems.
The Black Basta ransomware gang claimed responsibility for the attack and threatened to leak all stolen files if the company did not pay the ransom.
Hackers had access for 58 hours
The cyberattack occurred on March 22, 2023, when a Capita employee downloaded a malicious file that gave hackers access to the company’s internal network.
The ICO comments that, even though the breach was detected within 10 minutes, Capita failed to isolate the infected devices for the next 58 hours, giving the attackers enough time to move laterally, spread across the network, and access sensitive databases.
“This file enabled the deployment of malicious software on the Capita network, allowing the hacker to remain in the system, gain administrator permissions, and access other areas of the network.” Information Commissioner’s Office
The UK Data Protection Authority says, “Between 29 and 30 March 2023, approximately one terabyte of data was exfiltrated. On 31 March 2023, ransomware was deployed on Capita systems and the hacker reset all user passwords, preventing Capita employees from accessing their systems and networks.”
Capita has now been fined for having poor access controls (absence of a tiered admin account model), responding late to security alerts, operating an understaffed security ops center and failing to conduct regular penetration testing and risk management exercises.
Capita CEO Adolfo Hernandez announced The settlement with the ICO underlines the effort and investment that has gone into strengthening the firm’s cybersecurity stance since the incident.
The executive also said he did not expect the payment of the fine to have any impact on investor guidance published before.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
