The U.K.’s Information Commissioner’s Office (ICO) has fined outsourcing firm Capita £14 million ($18.8M) for its alleged failure to prevent a data breach that compromised the personal information of millions of people.
The cyber attack began on March 22, 2023, after an employee downloaded a malicious file that enabled the attacker to deploy malicious software, escalate privileges, and move laterally across the environment.
It affected 6.6 million people and over 325 organizations working with Capita’s subsidiary, Capita Pension Solutions, which processes over 600 pension schemes.
Capita promised to harden its systems, provided support to the impacted individuals, and cooperated with the relevant authorities following the cyber attack.
However, ICO’s investigation found that the outsourcing firm had failed to implement the necessary data security measures and fined the outsourcing firm and its subsidiary £8 million ($10.7M) and £6 million ($8M), respectively.
ICO had initially suggested a collective fine of £45 million ($60M). However, Capita challenged the provisional decision by presenting a list of mitigating factors which ICO considered, ultimately reducing the final amount.
ICO says the Capita data breach was preventable
ICO accused Capita of failing to shut down the affected system after detecting the cyber attack within 10 minutes. Instead, it responded after more than two days, instead of the mandatory 1 hour, thus allowing the threat actor to move laterally across the computer network.
“Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems,” ICO explained.
The delay also allowed the attacker to exfiltrate roughly one terabyte of data, install ransomware, and reset login credentials, locking out Capita staff. The data breach leaked customer and staff data, including sensitive and special categories, such as financial information, criminal records, race, religion, and sexual orientation.
ICO also found Capita guilty of failing to implement technical and organizational measures to ensure data security. They included the failure to prevent privilege escalation and lateral movement by failing to tier administrative accounts and respond promptly to security alerts. The firm also allegedly failed to perform adequate penetration testing and risk assessment prior to the data breach.
John Edwards, the U.K.’s Information Commissioner, said the data breach was entirely preventable had Capita applied the necessary security measures.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” he said.
Companies must fulfill data security obligations
He warned that every organization, regardless of its size, must fulfill its data security obligations in the face of increasing cyber attacks: “With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.”
Meanwhile, Capita has agreed to a voluntary settlement, admitted limited liability, and promised it would not appeal the data breach fine.
In 2023, Capita had anticipated the data breach would cost the company £25 million ($33.6M) in recovery, remediation, and cybersecurity investment costs without accounting for the ICO fines.
Capita was also among the first victims of sophisticated cyber attacks targeting large corporations in the United Kingdom. Others included WH Smith and Royal Mail, whose operations were disrupted for months by a severe cyber attack.
