Capita was fined £14 million for failing to protect personal data, leading to the theft of millions of people's information after Black Basta ransomware cyberattack in March 2023.
The Information Commissioner's Office (ICO), which imposed the fine, said the data breach affected six million people, with information including pension and personnel records and Capita client details stolen.
The cost of the breach could rise for Capita as thousands of affected individuals are embroiled in legal action against the outsourcing service provider.
the incident caused major disruptions to the IT system and has had a significant impact on customer services across many public sector bodies and some national critical infrastructure operators across the UK, with staff left unable to take calls from members of the public and others resorting to traditional pen and paper. A total of 325 Capita client organizations were affected by the data breach, according to the ICO.
The ICO fined Capita plc £8 million and Capita Pension Solutions £6 million for failing to securely process personal data, exposing the company to significant risk. He added that the company did not have “appropriate technical and organizational measures” to respond effectively.
UK Information Commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its consequences could have been prevented if sufficient security measures had been in place.”
“When a company the size of Capita fails, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have experienced – but also for wider public trust and for our future prosperity. As our fine shows, no organization is too big to ignore its responsibilities.”
This fine and mounting litigation should be a wake-up call to any firm that is still handling its clients' data quickly and irresponsibly.
Adnan Malik, Barings Law
The ICO initially planned to fine Capita £45 million, but the fine was reduced after the company submitted submissions and mitigating factors, including improvements it had made since the attack, the support offered to affected individuals and engagement with other regulators.
The attack began when a malicious file was accidentally downloaded to an employee's device. Capita's failure to isolate the device for 58 hours meant the attacker was able to exploit its systems.
Adolfo Hernandez, CEO of Capita, said: “When I became CEO a year after the attack, I accelerated our cybersecurity transformation through new digital and technology leadership and significant investment. As a result, we have significantly strengthened our cybersecurity position by introducing advanced defenses and instilling a culture of constant vigilance.”
“After a lengthy period of dialogue with the ICO over the past two years, we are pleased to bring this matter to a conclusion and reach today’s settlement.”
Adnan Malik, head of Barings Law's data protection practice lawsuits on behalf of thousands of injured individuals v Capita, said the ICO fine represents less than 1% of Capita's annual revenue, which topped £2 billion last year.
“This does little to address the damage caused by the firm’s inadequate cybersecurity procedures, which resulted in the loss of highly sensitive data, including benefit and pension records,” Malik added.
The ICO fine is not related to Barings Law's legal action against Capita and does not change anything in the ongoing action,” Malik added. “If anything, we expect this will mean our case will move faster.”
He said data breaches of large firms were on the rise, causing huge damage to people's finances, privacy and trust. “This fine and the pending litigation should be a wake-up call to any firm that is still handling its clients’ data quickly and irresponsibly.”
