Capita hit with Â14m fine for personal data breach in 2023 cyber attack Stroud News and Journal
p
ppOutsourcing giant Capita has been fined Â14 million by the Information Commissionerâs Office ICO for failing to protect personal data after hackers stole 66 million peopleâs information during a cyber attack in 2023ppThe data watchdog said the breach in March 2023 saw the hackers access information including pension details and staff records as well as details of customers of organisations Capita supportsppIn some cases this included sensitive information such as details of criminal records financial data or socalled special category data which can include race religion and sexual orientationppThe ICO fined Capita Â8 million and a further Â6 million for Capita Pension Solutions which processes personal information on behalf of more than 600 groups providing pension schemes with 325 of these organisations also impacted by the data breachppJohn Edwards UK information commissioner said âCapita failed in its duty to protect the data entrusted to it by millions of peopleppâThe scale of this breach and its impact could have been prevented had sufficient security measures been in placeâppThe ICO said Capita had failed to ensure the security of processing of personal data which left it at âsignificant riskâ adding that the company also lacked âappropriate technical and organisational measures to effectively respond to the attackâppThe ICO had initially proposed a combined fine of Â45 million but said this was reduced as part of a voluntary settlement and as it took into account actions by Capita following the hack to improve its systems offer support to those impacted and engage with cyber authorities and regulatorsppCapita said âWe regret the incident and can reaffirm that following a detailed forensic investigation all those identified as potentially impacted were contacted after the attackâppCapita chief executive Adolfo Hernandez who took on the role in 2024 said the firm was âamong the first in the recent wave of highly significant cyber attacks on large UK companiesâppHe added âWhen I joined as CEO the year after the attack I accelerated our cyber security transformation with new digital and technology leadership and significant investmentppâAs a result we have hugely strengthened our cybersecurity posture built in advanced protections and embedded a culture of continuous vigilanceâppCapita has already taken a heavy financial hit from the cyber attack estimating in the summer of 2023 that it could cost it up to Â25 million as it forked out for specialist professional fees recovery and remediation costs and investments in its cyber securityppThis was before taking into account any potential finesppThe ICO said the attack began when a malicious file was unintentionally downloaded onto an employeeâs device on March 22 2023ppâDespite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken Capita did not quarantine the device for 58 hours during which the attacker was able to exploit its systemsâ the ICO addedppThe target response time is one hour according to the ICOppThe hacker was then able to stay in the system gain administrator permissions and access other areas of the network before deploying ransomware onto Capitaâs systems on March 31 resetting all user passwords and stopping Capita employees from accessing their systems and networkppIt came amid a spate of cyber incidents in 2023 with high street retailer WH Smith suffering its second hack in less than a year in March of that year and Royal Mailâs international postal service suffering lengthy disruption after hackers targeted the groupppThis year has been another year of high profile cyber attacks with Jaguar Land Rover still recovering from a damaging hack just months after Marks Spencer was badly hitppThis website and associated newspapers adhere to the Independent Press Standards Organisations
Editors Code of Practice If you have a complaint about the editorial content which relates to
inaccuracy or intrusion then please
contact the editor here
If you are dissatisfied with the response provided you can
contact IPSO herepp 20012025 The Stroud News and Journal is owned and operated by Newsquest Media Group Ltd an audited local newspaper networkppVisit newsquestcouk to view our policies and termsppThe Echo Building 18 Albert Road Bournemouth England BH1 1BZ Registered in England Wales 01676637ppData returned from the Piano meterActivemeterExpired callback eventppAs a subscriber you are shown 80 less display advertising when reading our
articlesppThose ads you do see are predominantly from local businesses promoting local
services ppThese adverts enable local businesses to get in front of their target audience â the local
communityppIt is important that we continue to promote these adverts as our local businesses need
as much support as possible during these challenging timesp
ppOutsourcing giant Capita has been fined Â14 million by the Information Commissionerâs Office ICO for failing to protect personal data after hackers stole 66 million peopleâs information during a cyber attack in 2023ppThe data watchdog said the breach in March 2023 saw the hackers access information including pension details and staff records as well as details of customers of organisations Capita supportsppIn some cases this included sensitive information such as details of criminal records financial data or socalled special category data which can include race religion and sexual orientationppThe ICO fined Capita Â8 million and a further Â6 million for Capita Pension Solutions which processes personal information on behalf of more than 600 groups providing pension schemes with 325 of these organisations also impacted by the data breachppJohn Edwards UK information commissioner said âCapita failed in its duty to protect the data entrusted to it by millions of peopleppâThe scale of this breach and its impact could have been prevented had sufficient security measures been in placeâppThe ICO said Capita had failed to ensure the security of processing of personal data which left it at âsignificant riskâ adding that the company also lacked âappropriate technical and organisational measures to effectively respond to the attackâppThe ICO had initially proposed a combined fine of Â45 million but said this was reduced as part of a voluntary settlement and as it took into account actions by Capita following the hack to improve its systems offer support to those impacted and engage with cyber authorities and regulatorsppCapita said âWe regret the incident and can reaffirm that following a detailed forensic investigation all those identified as potentially impacted were contacted after the attackâppCapita chief executive Adolfo Hernandez who took on the role in 2024 said the firm was âamong the first in the recent wave of highly significant cyber attacks on large UK companiesâppHe added âWhen I joined as CEO the year after the attack I accelerated our cyber security transformation with new digital and technology leadership and significant investmentppâAs a result we have hugely strengthened our cybersecurity posture built in advanced protections and embedded a culture of continuous vigilanceâppCapita has already taken a heavy financial hit from the cyber attack estimating in the summer of 2023 that it could cost it up to Â25 million as it forked out for specialist professional fees recovery and remediation costs and investments in its cyber securityppThis was before taking into account any potential finesppThe ICO said the attack began when a malicious file was unintentionally downloaded onto an employeeâs device on March 22 2023ppâDespite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken Capita did not quarantine the device for 58 hours during which the attacker was able to exploit its systemsâ the ICO addedppThe target response time is one hour according to the ICOppThe hacker was then able to stay in the system gain administrator permissions and access other areas of the network before deploying ransomware onto Capitaâs systems on March 31 resetting all user passwords and stopping Capita employees from accessing their systems and networkppIt came amid a spate of cyber incidents in 2023 with high street retailer WH Smith suffering its second hack in less than a year in March of that year and Royal Mailâs international postal service suffering lengthy disruption after hackers targeted the groupppThis year has been another year of high profile cyber attacks with Jaguar Land Rover still recovering from a damaging hack just months after Marks Spencer was badly hitppThis website and associated newspapers adhere to the Independent Press Standards Organisations
Editors Code of Practice If you have a complaint about the editorial content which relates to
inaccuracy or intrusion then please
contact the editor here
If you are dissatisfied with the response provided you can
contact IPSO herepp 20012025 The Stroud News and Journal is owned and operated by Newsquest Media Group Ltd an audited local newspaper networkppVisit newsquestcouk to view our policies and termsppThe Echo Building 18 Albert Road Bournemouth England BH1 1BZ Registered in England Wales 01676637ppData returned from the Piano meterActivemeterExpired callback eventppAs a subscriber you are shown 80 less display advertising when reading our
articlesppThose ads you do see are predominantly from local businesses promoting local
services ppThese adverts enable local businesses to get in front of their target audience â the local
communityppIt is important that we continue to promote these adverts as our local businesses need
as much support as possible during these challenging timesp
