Outsourcing Firm Capita plc Fined £14 Million After Major 2023 Data Breach

Capita plc, the UK-based outsourcing company that provides business support services to both government and private-sector clients, has been fined by the Information Commissioner’s Office (ICO) to the tune of £14 million for failings in its data protection systems following a cyber-attack in 2023.

According to the ICO, the breach - first identified in March 2023 - resulted in the theft of personal data relating to more than 6 million individuals. The compromised information included pension records, staff and customer records and details classified as “special category” data, such as criminal-records information and sensitive employer-related data.

In a statement, the ICO said Capita had failed to implement adequate controls to prevent “unauthorised network access, privilege escalation and lateral movement through its systems.” The regulator added that the company was slow to act in response to security alerts and had allowed a malicious file to be downloaded onto an employee device, which remained affected for over 58 hours.

Capita confirmed receipt of the fine and indicated that the incident had been subject to detailed forensic investigation. The firm estimated that the total financial impact of the breach - including remediation, legal costs and customer compensation - could reach up to £20 million.

John Edwards, the UK Information Commissioner, commented: “With so many cyber-attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.”

The penalty is among the biggest imposed by the ICO in recent years and sends a strong message about regulatory expectations for data security. It also underscores how third-party service providers, which handle large volumes of client and public-sector data, are under increasing scrutiny.

Capita’s case will be closely watched by organisations that rely on outsourced suppliers or manage large data sets. The breach highlights the need for rigorous access controls, prompt detection of malicious activity, robust incident-response capability and ongoing oversight of supplier risk.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).