The Information Commissioner’s Office (ICO) in the UK has fined Capita, a provider of data-driven business process services, £14 million ($18.7 million) for a data breach incident in 2023 that exposed the personal information of 6.6 million people.
Capita is a major UK-based outsourcing and professional services company that provides consulting, digital, and software services to local councils, the NHS, the Ministry of Defense, and organizations in the banking, utilities, and telecommunications sectors.
With around 34,000 employees and an annual revenue of £3 billion, Capita's clients are mostly in the UK and Europe.
Hundreds of retirement plan providers impacted
The ICO had initially set the fine to a much larger £45 million, but the agency decided to reduce the penalty after the company accepted liability, implemented important security improvements, and offered data protection services to exposed individuals.
The data protection authority fined Capita plc £8 million and Capita Pension Solutions Limited received a penalty of £6 million.
The ICO’s investigation has now confirmed that the stolen data impacts 6.6 million people, and hundreds of Capita clients, including 325 pension scheme providers in the UK.
In April 2023, the company announced that it had been targeted by hackers who attempted access to its internal Microsoft 365 environment, forcing some systems offline as part of its response.
An update three weeks later confirmed that hackers had accessed 4% of Capita’s internal IT infrastructure, and exfiltrated private files hosted on the breached systems.
The Black Basta ransomware gang claimed the attack and threatened to leak all stolen files unless the company paid a ransom.
... continue reading