![[UK] Capita fined £14m for data breach affecting 6 million people](http://gpa.net/cdn/shop/articles/bigstock-computer-security-breach-75957572_1_1200x.jpg?v=1760651413)
In the UK, the Information Commissioner's Office (ICO) has announced that it has issued a fine of £14 million to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.
Capita plc has been fined £8 million and Capita Pension Solutions Limited has been fined £6 million, for a combined total penalty of £14 million.
The ICO said, “The cyber attack took place in March 2023. The personal information of 6.6 million people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data.
“Capita Pension Solutions Limited processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.”
According to the ICO, its investigation found that Capita had failed to ensure the security of the processing of personal data, which left it at significant risk. It also found that Capita lacked the appropriate technical and organisational measures to respond to the attack effectively.
John Edwards - UK Information Commissioner - said, “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either - taking action today could prevent the worst from happening tomorrow.”
The ICO says that it initially informed Capita of its provisional intention to fine it a combined total of £45m. Capita subsequently submitted representations and mitigating factors on the provisional decision, which the ICO says it carefully considered.
This reportedly included the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.
The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the Office’s decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing.
Source: ICO
(Quotes via original reporting)
In the UK, the Information Commissioner's Office (ICO) has announced that it has issued a fine of £14 million to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.
Capita plc has been fined £8 million and Capita Pension Solutions Limited has been fined £6 million, for a combined total penalty of £14 million.
The ICO said, “The cyber attack took place in March 2023. The personal information of 6.6 million people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data.
“Capita Pension Solutions Limited processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.”
According to the ICO, its investigation found that Capita had failed to ensure the security of the processing of personal data, which left it at significant risk. It also found that Capita lacked the appropriate technical and organisational measures to respond to the attack effectively.
John Edwards - UK Information Commissioner - said, “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either - taking action today could prevent the worst from happening tomorrow.”
The ICO says that it initially informed Capita of its provisional intention to fine it a combined total of £45m. Capita subsequently submitted representations and mitigating factors on the provisional decision, which the ICO says it carefully considered.
This reportedly included the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.
The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the Office’s decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing.
Source: ICO
(Quotes via original reporting)