Capita Fined for Security Failings in Massive Data Breach Affecting 6.6 Million Individuals
The UK Information Commissioner's Office (ICO) imposed a record £14 million fine on Capita, the country's largest outsourcing company, following a major cyberattack in 2023 that compromised the personal data of 6.6 million people. The penalty was split between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million), reflecting the widespread impact across both the parent company and its pension subsidiary. The breach affected 325 out of more than 600 organizations that rely on Capita’s services, exposing sensitive information such as bank and credit card details, biometric data, passport information, login credentials, and even child data. For some individuals, the stolen data included details of criminal records, financial information, and other special category data. The ICO’s investigation found that Capita failed to implement adequate technical and organizational measures to secure personal data, leaving it vulnerable to attack and unable to respond effectively when the breach occurred. The attack began when a malicious JavaScript file was downloaded onto an employee’s device on March 22, 2023, but the compromised device was not quarantined for 58 hours, allowing attackers to access and exfiltrate data. Capita initially claimed there was no evidence of data compromise, but subsequent findings contradicted this, revealing the extent of the breach. The ICO originally considered a much higher fine of £45 million, but reduced the amount after Capita demonstrated improvements in security, provided support to victims, and cooperated with authorities including the National Cyber Security Centre. The breach led to significant anxiety and stress among affected individuals, with some reporting financial losses. Despite the incident, Capita continued to secure substantial government contracts, with 241 contracts worth £6 billion awarded since the breach. The ICO emphasized that no organization is too large to be held accountable for data protection failures and highlighted the importance of proactive cybersecurity measures. The fine represents approximately 12 percent of Capita’s 2024 post-tax profits, underscoring the financial and reputational consequences of inadequate data security. The incident serves as a stark reminder to all organizations of the critical need to safeguard personal data and maintain robust incident response capabilities.
Sources
2 more from sources like govinfosecurity and the record media
Related Stories
UK Fines LastPass for Major Data Breach Impacting 1.6 Million Users
The UK Information Commissioner's Office (ICO) has fined LastPass £1.2 million ($1.6 million) following a significant data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The breach occurred in two stages: initially, an attacker compromised a company developer's work-issued laptop, exfiltrating source code and technical documentation, including unencrypted and encrypted credentials. This access was later leveraged to target a senior engineer's personal laptop, allowing the attacker to obtain credentials and keys used to access and decrypt storage volumes within LastPass's cloud-based storage service. The ICO determined that LastPass failed to implement sufficiently robust technical and security measures to protect customer data, leading to the substantial penalty. Although the attackers obtained encrypted versions of sensitive data, including website names and passwords, the ICO noted there was no evidence that customer passwords were decrypted, as these are stored locally on user devices. However, security experts have raised concerns about the potential for brute-force attacks on the stolen vaults, with reports linking the breach to cryptocurrency thefts. The ICO emphasized the importance of strong security practices for password management services and urged all UK businesses to take steps to protect customer data in light of this incident.
3 months ago
Nexpublica France Fined for Inadequate Security After Data Breach
France’s data protection authority, CNIL, imposed a €1.7 million ($2 million) fine on the software company Nexpublica France following a data breach that exposed sensitive documents of third parties through a company portal. The breach, reported in November 2022, allowed users to access documents belonging to other individuals, prompting an investigation by CNIL, which found that Nexpublica’s data security program was insufficient and failed to meet basic security standards. The regulator cited several aggravating factors in determining the fine, including Nexpublica’s lack of awareness of fundamental security principles, the number of people affected, the sensitivity of the exposed data, and the company’s financial capacity. CNIL also noted that Nexpublica was aware of the security issues prior to the breach but did not take corrective action until after the incident, constituting a violation of the General Data Protection Regulation (GDPR).
2 months ago
UK Data Protection Incidents and Enforcement Actions
A UK local authority disclosed personal data during its complaints-handling process after forwarding complaints to a councillor with **all complainants’ identifying details** included, despite some complainants opting to withhold their names. The information reportedly exposed included sensitive contact details (e.g., home addresses, email addresses, phone numbers) that would not normally be shared with the subject of a complaint, raising a **data protection breach** and governance concerns around how complaint records are processed and redacted. Separately, the UK **Information Commissioner’s Office (ICO)** won a court battle in its long-running attempt to uphold a **£500,000 fine** against **DSG Retail** (owner of *Currys PC World* and *Dixons Travel*) tied to a major 2017 breach in which malware was installed on **5,390 point-of-sale tills** and remained undetected for **nine months**. The incident involved theft of **5.6 million payment card numbers and expiry dates** (without cardholder names) and personal data relating to roughly **14 million individuals**; a central legal dispute is whether the payment card data alone constitutes **personal data** under the applicable pre-GDPR regime. A third item argues for using **tax incentives** (modeled on green-energy policy) to drive “security by design” and improve cybersecurity outcomes, but it is a policy opinion piece rather than reporting on a specific incident or enforcement action.
3 weeks ago