Capita hit with £14m fine for personal data breach in 2023 cyber attack

Outsourcing giant Capita has been fined £14 million by the Information Commissioner’s Office (ICO) for failing to protect personal data after hackers stole 6.6 million people’s information during a cyber attack in 2023.

The data watchdog said the breach in March 2023 saw the hackers access information including pension details and staff records, as well as details of customers of organisations Capita supports.

In some cases this included sensitive information such as details of criminal records, financial data or so-called special category data, which can include race, religion and sexual orientation.

The ICO fined Capita £8 million and a further £6 million for Capita Pension Solutions, which processes personal information on behalf of more than 600 groups providing pension schemes, with 325 of these organisations also impacted by the data breach.

John Edwards, UK information commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people.

“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”

The ICO said Capita had failed to ensure the security of processing of personal data, which left it at “significant risk”, adding that the company also lacked “appropriate technical and organisational measures to effectively respond to the attack”.

The ICO had initially proposed a combined fine of £45 million, but said this was reduced as part of a voluntary settlement and as it took into account actions by Capita following the hack to improve its systems, offer support to those impacted and engage with cyber authorities and regulators.

Capita said: “We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”

Capita chief executive Adolfo Hernandez, who took on the role in 2024, said the firm was “among the first in the recent wave of highly significant cyber attacks on large UK companies”.

He added: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment.

“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”

Capita has already taken a heavy financial hit from the cyber attack, estimating in the summer of 2023 that it could cost it up to £25 million as it forked out for specialist professional fees, recovery and remediation costs and investments in its cyber security.

This was before taking into account any potential fines.

The ICO said the attack began when a malicious file was unintentionally downloaded onto an employee’s device on March 22 2023.

“Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems,” the ICO added.

The target response time is one hour, according to the ICO.

The hacker was then able to stay in the system, gain administrator permissions and access other areas of the network before deploying ransomware onto Capita’s systems on March 31, resetting all user passwords and stopping Capita employees from accessing their systems and network.

It came amid a spate of cyber incidents in 2023, with high street retailer WH Smith suffering its second hack in less than a year in March of that year and Royal Mail’s international postal service suffering lengthy disruption after hackers targeted the group.

This year has been another year of high profile cyber attacks, with Jaguar Land Rover still recovering from a damaging hack just months after Marks & Spencer was badly hit.