ICO fines Capita £14m for data breach affecting over 6 million people

The ICO issued, on 15 October, a fine of £14m to Capita (Capita plc for £8m and Capita Pension Solutions Limited £6m) for a data security breach.

The fine relates to a breach in 2023 that saw hackers steal millions of people’s information. “Our investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack,” the ICO says.

Mark Young, Partner at Covington said: “[Today’s] ICO fine – coming in the same week as the UK government’s letter to CEOs on cyber – emphasises the importance of implementing effective measures to prevent unauthorised lateral movement within a network when a bad actor breaks in, and to respond effectively to security alerts.”

“A key point for other large organisations to note is that even though the regulator accepted that it may not be practical for a large organisation like Capita to conduct penetration tests on every system in its network, certain systems must be tested based on the volume and sensitivity of data, and learnings from tests that could impact the entire network should be disseminated to each relevant legal entity and implemented across the network. The ICO also underlined the importance of organisations properly resourcing their Security Operations Centre (SOC) to ensure that they are able to respond promptly to a serious high-risk alert.”

Capita has admitted liability, and agrees to pay the fine without appealing.

See:

• ICO - Capita fined £14m for data breach affecting over 6m people
• GOV.UK - Ministerial letter on cyber security