Capita Hit With £14m Fine Over 6.6 Million Data Breach

The outsourcing firm Capita has agreed to pay a £14 million penalty imposed by the UK’s Information Commissioner’s Office for a major data breach that compromised the personal information of approximately 6.6 million individuals. Initially facing a potential fine of £45 million, the company saw the penalty reduced significantly after demonstrating substantial improvements to its security framework, providing support to those affected, and cooperating with regulatory bodies and the National Cyber Security Centre.

In March 2023, a Capita employee accidentally installed malware on their device after being targeted by a threat actor linked to the Black Basta ransomware group. Although a high-priority security alert was triggered within ten minutes, the compromised device remained unquarantined for an additional 58 hours. This delay allowed the attacker to escalate their access privileges and move laterally across the network. Nine days after the initial intrusion, ransomware was activated across Capita’s systems, and the attacker reset all user passwords, effectively locking employees out of their accounts.

The stolen data included pension and employee records, along with highly sensitive customer information from Capita’s clients. This encompassed criminal records, financial details, and special category personal data. More than half of the 600 Capita Pension Solutions clients were impacted by the breach. Last year, around 8,000 claimants initiated a High Court case against the company. At the time of the incident, Capita was managing billions of pounds in government contracts for organizations such as the NHS, HM Prison and Probation Service, and the Royal Navy.

A detailed investigation by the ICO revealed that Capita had violated UK GDPR requirements by failing to implement adequate technical and organizational security measures. Specific failures included the absence of a tiering model for administrative accounts, which had been flagged repeatedly but never addressed. This oversight allowed unauthorized privilege escalation and lateral movement within the network. Additionally, the company’s Security Operations Center was understaffed, leading to a critical 58-hour delay in responding to the security alert, far exceeding the one-hour target response time. Penetration testing was also found to be insufficient; systems handling millions of records were tested only once after deployment, and identified risks were not communicated or remediated across the organization.

Information Commissioner John Edwards emphasized that the breach could have been avoided with stronger security protocols. He noted that when an organization of Capita’s scale fails in its data protection duties, the fallout extends beyond the individuals affected, eroding public trust and impacting economic stability. Edwards reinforced that no organization is too large to neglect its legal responsibilities under data protection law.

In response, Capita’s CEO Adolfo Hernandez highlighted the extensive cybersecurity transformation the company has undertaken since the incident. He stated that Capita has significantly strengthened its security posture, integrated advanced protective measures, and fostered a culture of continuous vigilance. Hernandez expressed satisfaction that the matter has been resolved following two years of discussions with the ICO.

The ICO has advised all organizations to take proactive steps in managing cybersecurity risks, including regular security assessments, timely response to threats, and ensuring that security improvements are implemented consistently across all business units.

(Source: InfoSecurity Magazine)