Capita, one of the UK’s largest outsourcing and professional services companies, has been fined £14 million by the Information Commissioner’s Office (ICO) following a 2023 data breach that exposed the personal information of approximately 6.6 million people.
Capita’s Role and Impact
Capita provides business process outsourcing, consulting, and digital services to public and private sector organizations. Its clients include local councils, the NHS, the Ministry of Defence, financial institutions, utilities, and telecom companies. With 34,000 employees and annual revenues of around £3 billion, the breach carried major implications across the UK and Europe.
ICO Fine Reduced From £45M to £14M
The ICO initially set the penalty at £45 million but reduced it to £14 million after Capita accepted liability, invested in security improvements, and offered identity protection services to affected individuals. The fine is divided between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million).
According to the regulator, hundreds of clients were impacted, including 325 pension scheme providers across the UK.
How the Capita Breach Happened
The cyberattack occurred on March 22, 2023, when a Capita employee downloaded a malicious file that gave attackers access to the company’s internal network. While the breach was detected within 10 minutes, the compromised device was not isolated for 58 hours, giving hackers ample time to move laterally and exfiltrate data.
Nearly one terabyte of files was stolen, and on March 31 ransomware was deployed across systems. Passwords were reset, locking staff out of the network and disrupting services. The Black Basta ransomware group later claimed responsibility and threatened to leak stolen data.
ICO Findings and Security Failures
The ICO investigation highlighted several failings that made the breach worse, including:
- Weak access controls and lack of tiered admin accounts
- Delayed response to early detection alerts
- Understaffed Security Operations Center (SOC)
- Failure to conduct regular penetration testing and risk assessments
Capita’s Response
Capita CEO Adolfo Hernandez confirmed the settlement and emphasized that the company has invested heavily in cybersecurity improvements since the incident. He also noted that paying the fine will not affect previously issued financial guidance for investors.
Why the Fine Matters
This case underscores the growing regulatory focus on cybersecurity in the UK. Millions of individuals are now at risk of scams, fraud, and identity theft due to the breach, making it one of the largest enforcement actions of its kind in recent years. The £14 million fine signals that organizations failing to secure personal data will face significant financial and reputational consequences.
Bottom line: The Capita data breach shows how quickly a lapse in security can escalate into widespread exposure. For affected individuals, monitoring financial accounts, changing passwords, and using identity protection services are crucial steps to reduce potential harm.
