The UK's data watchdog has fined outsourcing firm Capita £14 million after a cyber attack stole the personal data of 6.6 million people.
The Information Commissioner's Office (ICO) said Capita “failed to ensure the security of the processing of personal data, which exposed it to significant risk”.
The fine was initially set at £45 million but was reduced following negotiations between Capita and the watchdog.
Capita chief executive Adolfo Hernandez said the firm was “delighted to have brought this matter to closure and reached today's settlement”.
He said the company has “significantly strengthened” its cybersecurity resilience and is being vigilant.
Capita provides professional and outsourcing services in a variety of areas to the public and private sectors.
The company reported revenue of £2.4 billion last year, according to its latest annual report.
Following a hack in March 2023, it was revealed that Capita left a pool of data unprotected on the Internet.
The information appears to contain population data, including home addresses and passport images. started circulating on the darknet.
The ICO said financial data was stolen and in some cases criminal records were hacked.
Capita also manages more than 600 pension schemes and 325 of these have been affected.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” Information Commissioner John Edwards said.
“The scale of this breach and its consequences could have been prevented if sufficient security measures had been put in place.”
The proposed £45 million fine was reduced to £14 million after Capita said it had improved its cyber security, offered support to affected people and worked with other regulators and the National Cyber Security Center (NCSC).
Earlier this year, retailer Co-op was hit by a hacker attack that revealed details of all of its about 6.5 million customers were stolen.
It comes amid other high-profile cyber attacks on M&S, Harrods and Jaguar Land Rover.
On Tuesday, the NCSC confirmed there had been an increase in attacks of national significance this year.
It comes as the government advised executives across the country to write down contingency plans on paper in case they lose access to their computers as a result of a hack.
