Capita Fined £14M Over 6.6 Million People Data Breach

The UK’s Information Commissioner’s Office has issued a £14 million penalty against Capita following a massive data breach that compromised the personal details of 6.6 million individuals. This substantial fine reflects the severity of the security lapses that allowed unauthorized access to sensitive information across hundreds of organizations, including numerous pension providers and public sector bodies.

Capita operates as a leading outsourcing and professional services firm within the United Kingdom, delivering consulting, digital, and software solutions to a diverse client base. Its customers include local government authorities, the National Health Service, the Ministry of Defence, and major players in banking, utilities, and telecommunications. The company employs approximately 34,000 staff and generates annual revenues around £3 billion, with its operations concentrated in the UK and European markets.

Initially, the ICO proposed a much larger fine of £45 million. However, the regulator decided to reduce the amount after Capita acknowledged its responsibility, undertook significant security enhancements, and provided data protection services to those affected by the breach. The total penalty was split between two entities: Capita plc was fined £8 million, while its subsidiary Capita Pension Solutions Limited received a £6 million fine.

The investigation confirmed that the incident impacted hundreds of Capita’s clients, notably 325 UK pension scheme providers. The breach began in March 2023 when hackers gained entry to the company’s systems.

In April 2023, Capita publicly disclosed that it had been targeted by cybercriminals who attempted to infiltrate its Microsoft 365 environment. This forced the company to take certain systems offline as a protective measure. A subsequent update revealed that the attackers had successfully accessed four percent of Capita’s internal IT infrastructure and had stolen private files from the compromised systems. The Black Basta ransomware group claimed responsibility for the attack, threatening to release all the stolen data unless a ransom was paid.

The intrusion started on March 22, 2023, after a Capita employee inadvertently downloaded a malicious file. This action provided the hackers with an initial foothold on the corporate network. Although the breach was detected within ten minutes, the ICO highlighted a critical failure: the infected device was not isolated from the network for another 58 hours. This delay granted the attackers extensive time to move laterally across systems, escalate their privileges to administrator level, and access highly sensitive databases.

According to the data protection authority, the malicious file allowed the deployment of harmful software, enabling the hacker to maintain persistence, gain elevated permissions, and explore other network segments. Between March 29 and 30, nearly one terabyte of data was exfiltrated from Capita’s systems. On March 31, ransomware was deployed, and the attacker reset all user passwords, effectively locking Capita staff out of their own systems and network.

The ICO’s ruling cited multiple security failures by Capita. These included inadequate access controls, such as the absence of a tiered administrator account model, a delayed response to security alerts, an understaffed Security Operations Center, and a failure to conduct regular penetration testing and risk management exercises.

Capita’s CEO, Adolfo Hernandez, has since announced the settlement with the ICO. He emphasized the considerable effort and financial investment the company has dedicated to strengthening its cybersecurity posture following the incident. Hernandez also stated that the company does not anticipate the payment of this fine to affect its previously published financial guidance to investors.

(Source: Bleeping Computer)