Capita has agreed to pay a multi-million data security fine to the UK privacy watchdog, months after admitting in related litigation that it had breached the UK GDPR’s security duty.
Shutterstock.com/AhyanStockStudios
The Information Commissioner’s Office (ICO) said today the fine was initially set at £45 million but was reduced based on mitigating factors presented by Capita. The company admitted liability and agreed to pay the final penalty – comprising an £8 million fine for Capita PLC and a £6 million fine for Capita Pension Solutions (CPSL).
Capita will not appeal against the decision. In a June defence to related High Court group litigation, Capita PLC had already admitted to claimants that it had breached the UK GDPR security duty in relation to the exfiltrated data related to the claimants in that case.
Hackers had in 2023 gained access to Capita’s IT estate, deployed ransomware and exfiltrated nearly one terabyte of data from pension, staff and customer records including highly sensitive financial information, details of criminal records and special category data. The regulator said it received at least 93 complaints from affected individuals following the attack, adding that Capita itself received 678 complaints as well as a notification of the High Court claim.
The ICO today said Capita failed to ensure the security of its processing and lacked appropriate technical and organisational measures to effectively respond to the attack, which exposed the information of 6.6 million individuals.
Capita “failed in its duty to protect the data entrusted to it by millions of people”, Information Commissioner John Edwards said in a statement. “When a company of Capita’s size falls short, the consequences can be significant,” he noted, adding that this includes the anxiety and stress suffered by those impacted and the wider impact on public trust.
“As our fine shows, no organisation is too big to ignore its responsibilities,” Edwards said.
Contraventions
The monetary penalty notice cited contraventions of UK GDPR provisions under article 5 on the integrity and confidentiality of processing and article 32 under which processors must implement security measures.
Among the key issues identified is Capita’s failure to prevent both privilege escalation and unauthorised lateral movement through the network. Capita did not have a tiering model in place for administrative accounts, allowing the attacker to move laterally across the network into different Capita domains, exfiltrate data, and deploy ransomware, the ICO said.
The regulator noted that the level of freedom the threat actor had within the Capita network “was certainly extensive and of significant concern”. It added the contravention is “particularly egregious” as Capita was made aware of these deficiencies on at least three occasions prior to the incident, but had failed to remedy them.
The ICO added that the company did not conduct adequate penetration testing on all its systems, despite the vast quantities of special category data it processed. It added that findings from penetration tests were siloed within business units and identified risks were not remedied across its network.
Given the size and complexity of Capita’s network infrastructure, the ICO said it “accepts that an entire Capita-wide penetration test would not necessarily be feasible”. But it added that the company should have instead derived learning from smaller-scale tests and shared “remediation advice across the organisation”.
Capita also failed to effectively respond to security alerts after they had been detected, the watchdog found. Although a high priority security alert was raised within ten minutes of the breach, Capita took 58 hours to respond appropriately – based on Capita’s target response time, it should have dealt with the alert within 1 hour of its creation, the ICO said.
Capita had argued that the ICO wrongly assessed the organisation’s compliance against its own internal targets rather than considering any regulatory or contractual obligations relevant to response times. But the regulator said it is within its remit to comment on Capita’s security targets when assessing the adequacy and implementation of its technical and organisational measures.
According to the commissioner, “the 57+ hour delay in responding to this high priority security alert allowed the threat actor to gain a foothold in the Capita network and to ultimately exploit its systems.” The notice said that this slow response was not an isolated failure, adding that “historic underperformance” indicates systemic issues within the Capita’s Security Operations Centre that included inadequate staffing.
In imposing the fine, the ICO considered both the role of Capita as a controller and CPSL as a data processor in respect of the infringements. Capita had countered that such distinction is not relevant and that the decision to impose a penalty on both entities is disproportionate.
But the ICO maintained that it is appropriate to focus upon Capita “because of its general responsibility for data protection standards and processes across the Capita group”, and on pensions unit CPSL because of the volume and sensitivity of the data it processed.
Capita chief executive Adolfo Hernandez said in a statement: “Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement.
Hernandez noted that he joined the company a year after the attack and worked to accelerate its cybersecurity transformation. “As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance,” Hernandez said.
Fieldfisher partner Sarah Tedstone told Lexology PRO that cybersecurity related matters have been an area of concern to regulators and governments around the world. She noted that the new NIS2 regulation in Europe, for example, looks to impose higher obligations on organisations with regards to preparedness with the possibility of fines and personal liability for management.
“New legislation may follow in the UK in the Cyber Security and Resilience Bill which aims to strengthen cyber resilience across critical national infrastructure, including sectors like energy, water, transport, and healthcare,” Tedstone added.
ICO fines
Although the regulator cut the initially proposed fine by almost 68%, citing mitigating factors and the settlement agreement, the £14 million penalty is still the third-highest GDPR data security fine issued by the ICO to date. It follows the £20 million fine issued to British Airways and the £18.4 million fine issued to Marriott in 2020.
Herbert Smith Freehills partner Peter Dalton told Lexology PRO that the Capita fines status as one of the ICO’s highest to date demonstrates the “seriousness with which the ICO takes cyber incidents where there is evidence that technical and organisational measures have fallen below regulatory expectations”.
Dalton also noted the importance placed by the regulator on the overall potential for damages and the number of data subjects affected.
He added that “the significant discount ultimately applied to bring the fine down to £14 million does highlight that organisations which are prepared to admit liability and settle with the ICO can achieve significant discounts.”
Notably, almost all of the 19 GDPR and UK GDPR penalties handed out by the ICO relate to data security matters, with the exception of the £250,000 fine it issued retailer Easylife for using customers’ personal information to infer medical conditions and the £7.5 million fine issued to Clearview AI for scraping and storing individuals’ biometric data.
The regulator has on seven other occasions handed out enforcement notices for various non-data security infringements, such as its action against Snap over the risks posed by its AI chatbot to children and against the UK’s tax office over its collection of voice recognition data.