Capita fined £14m for 2023 data breach

Capita has been fined £14m by the Information Commissioner’s Office (ICO) for a cyber-attack in 2023 which saw millions of people have their personal data stolen.

An ICO investigation found that the outsourcing firm had failed to ensure the security of processing of personal data which left it at “significant risk”.

The cyber-attack took place in March 2023 when the personal information of 6.6 million people was stolen from pension and staff records to the details of customers of organisations that Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data.

Capita Pension Solutions processes personal information on behalf of over 600 organisations providing pension schemes, and the ICO found that 325 of these organisations were impacted by the data breach.

According to the watchdog, Capita had also lacked the “appropriate technical and organisational measures” to effectively respond to the attack.

As a result, Capita has been fined £8m and Capita Pension Solutions £6m, giving a combined total of £14m. The fine was originally set at £45m but reduced after discussions between Capita and the ICO.

UK Information Commissioner, John Edwards, said that Capita had “failed in its duty to protect the data entrusted to it by millions of people”.

“The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” Edwards added.

“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”

Factoring in the impact of the £14m penalty, Capita revealed it would now expect free cash outflow before the impact of business exits of between £59m-£79m, with no other changes to its previous guidance of £45m-£65m.

The outsourcing company said it still expects to be cash positive from the end of 2025.

“When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment,” Capita’s CEO, Adolfo Hernandez, commented.

“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.

“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement. The Capita team continues to focus tirelessly on our group transformation journey for the benefit of our customers, our people and wider society.”



Share Story:

Recent Stories