Capita has been fined £14m by the Information Commissioner’s Office (ICO) after millions were affected by its data breach.
The fine follows a cyber attack in 2023 in which the personal information of 6.6m people was stolen, from pension records and staff records to the details of customers of organisations Capita supports.
For some, this included sensitive information such as details of criminal records, financial data or special category data.
The ICO said its investigation found that Capita had failed to ensure the security of personal data processing, leaving it at significant risk, and lacked the appropriate technical and organisational measures to respond to the attack effectively.
Capita did not implement a tiering model for administrative accounts, allowing attackers to escalate privileges, move laterally across multiple domains and compromise critical systems. The failings were flagged as a vulnerability on at least three separate occasions but were not remedied.
Capita’s data breach and its impact ‘could have been prevented’
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” said Information Commissioner John Edwards.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity.
“As our fine shows, no organisation is too big to ignore its responsibilities.”
The ICO said it initially planned to fine Capita a total of £45m, but this was later reduced by “mitigating factors” included security improvements made after the attack and support offered to affected individuals.
Capita plc was fined £8m while Capita Pension Solutions Limited was fined £6m, giving a combined total of £14m.
Capita chief executive Adolfo Hernandez said the company had “hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement,” Hernandez said.