ICO issues £14m GDPR fine to Capita for 2023 cyberattack affecting 6.6m people

The Information Commissioner's Office (ICO) has issued monetary penalties totalling £14 million to the international business process outsourcing and professional services company Capita, following a cyberattack in 2023 that led to the theft of personal information belonging to 6.6 million people. 

The list of personal data stolen is extensive. It includes names and contact information, dates of birth, national insurance numbers, driving licences, passports, photo and other national IDs, bank account details, copies of signatures, biometric information, health data, racial and ethnic origin information, political affiliations, religious and philosophical beliefs, trade union membership, sexual orientation, and criminal records checks.

Of the total amount, £8 million was levied against Capita Plc, with the remaining £6 million being apportioned to Capita Pension Solutions Limited (CPSL). During the ICO's investigation, the personal data breach was found to have affected 325 of the 600 schemes managed by Capita Pensions. The regulator had initially informed Capita of its intention to fine the group a combined total of £45 million. However, the ICO reduced the amount upon receipt of representations outlining mitigating factors.

The ICO found that both Capita entities infringed UK GDPR due to multiple systemic security failures. These included an inability to prevent the attacker from escalating privileges and moving across multiple domains—a vulnerability that had been flagged at least three times previously but never remedied. Furthermore, the company's Security Operations Centre was severely understaffed and took a critical 58 hours to respond to a high-priority security alert, far exceeding its one-hour target. The investigation also found that penetration testing and risk assessments were inadequate and siloed, failing to address network-wide vulnerabilities.

The ICO found that Capita Plc infringed Articles 5(1)(f), 32(1), and 32(2) of the UK General Data Protection Regulation (GDPR), while CPSL infringed GDPR Articles 32(1) and 32(2).  

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.