In October 2025, the UK’s Information Commissioner’s Office (ICO) imposed a £14 million fine on Capita, one of the nation’s largest outsourcing firms, for failing to protect personal data during a significant cyberattack in 2023. The breach compromised the personal information of 6.6 million individuals, including pension records, staff details, and sensitive data such as criminal records and financial information. (ico.org.uk)
The attack began on March 22, 2023, when an employee inadvertently downloaded a malicious file. Despite an automated alert within 10 minutes, Capita did not quarantine the compromised device for 58 hours, allowing attackers to infiltrate systems, gain administrator rights, and exfiltrate nearly one terabyte of data. Ransomware was deployed, resetting passwords and locking staff out of systems. (ico.org.uk)
Dont let data threats slow you downTrueNAS offers enterprise-level protection.
The ICO’s investigation revealed several security lapses:
-
Privilege Escalation: Capita lacked controls to prevent attackers from escalating privileges and moving laterally across networks, compromising critical systems.
-
Ignored Alerts: Security alerts were not addressed promptly, delaying response times and exacerbating the breach.
-
Unresolved Vulnerabilities: Known security weaknesses were left unaddressed, leaving systems open to exploitation. (ico.org.uk)
Initially, the ICO proposed a £45 million fine. However, after considering Capita’s post-incident improvements, including enhanced cyber controls and cooperation with the National Cyber Security Centre, the penalty was reduced to £14 million—£8 million for Capita plc and £6 million for Capita Pension Solutions Limited. Capita accepted the settlement and admitted liability. (ico.org.uk)
Capita’s CEO, Adolfo Hernandez, appointed after the breach, stated, “We have hugely strengthened our cybersecurity posture, built in advanced protections, and embedded a culture of continuous vigilance.” (insurancebusinessmag.com)
This case highlights the growing regulatory scrutiny on UK firms following high-profile cyber breaches. The ICO emphasized that no organization, regardless of size, is exempt from its responsibilities to protect personal data. (ico.org.uk)
References
-
Capita fined £14m for data breach affecting over 6m people. Information Commissioner’s Office. (ico.org.uk)
-
Huge outsourcing firm whacked with £14 million fine for cyber breach. Insurance Business UK. (insurancebusinessmag.com)
-
Capita fined £14 million after 6.6m records stolen in cyber attack. upday News. (upday.com)
-
Capita Ransomware Fine Marks UK’s Largest Breach Penalty. The Cyber Express. (thecyberexpress.com)
-
UK’s Capita fined $19 million for 2023 cyber breach. Reuters. (reuters.com)
Given the significant delay in quarantining the compromised device, what specific improvements in incident response protocols and automation could prevent similar breaches in the future, especially considering the initial alert was generated so quickly?
That’s a great point! The speed of the initial alert really highlights the need for automated quarantine procedures. Perhaps AI-driven systems that can automatically isolate suspicious devices based on alert severity could prevent such delays. What are your thoughts on using AI to enhance incident response?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
58 hours to quarantine? That’s like waiting for dial-up to download a movie in 2025! I wonder if the attacker sent a thank you card for the extended access? Perhaps a pizza? Seriously though, how do companies let this happen?
That’s a great analogy! The 58-hour delay is indeed shocking. It really raises questions about incident response readiness and highlights the need for stringent security protocols and staff awareness training. What proactive measures could organizations implement to reduce these response times, and more importantly, what could be done to avoid the attack in the first place?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe