.png)
8 hours ago
2
The outsourcing company Capita has been fined £14m for data protection failings after hackers stole the personal information of 6.6 million people, including staff details and those of its clients’ customers.
John Edwards, the UK information commissioner who levied the fine, said the March 2023 data theft from the group and companies it supported, including 325 pension providers, caused anxiety and stress for those affected.
The £8m fine for Capita and £6m penalty for its Capita Pension Solutions arm come as UK businesses battle a wave of cyber-attacks in the recent wave that has crippled companies such as M&S and Jaguar Land Rover.
Capita discovered the attack within 10 minutes but did not shut down the device that had been targeted by a malicious file for 58 hours, during which time the attacker was able to exploit its systems. Hackers took almost one terabyte of data, installed ransomware and reset all user passwords, locking out Capita staff.
In some cases stolen information was sensitive, such as details of criminal records, financial data and “special category data”, which can include race, religion and sexual orientation.
An original proposed fine of £45m was cut after Capita made representations it had made security improvements and engaged with regulators and the National Cyber Security Centre, part of GCHQ, which this week said the number of nationally significant cyber-attacks in the UK more than doubled in the past year.
It called on businesses of all sizes to draw up contingency plans for if “your IT infrastructure [is] crippled tomorrow and all your screens [go] blank”.
The information commissioner’s investigation found that prior to the attack, Capita failed to fix known vulnerabilities, its security operations centre was understaffed and it had carried out inadequate testing of defences despite looking after millions of personal and sometimes sensitive records.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” Edwards said. “The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust among the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”
after newsletter promotion
Capita’s chief executive, Adolfo Hernandez, said: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies.
“When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
