The UK’s Information Commissioner’s Office has issued a £14 million penalty to outsourcing firm Capita following a 2023 cyberattack that exposed the personal data of about 6.6 million people, the regulator said. The fine is split into £8 million for Capita plc and £6 million for Capita Pension Solutions, according to the ICO’s full report into Capita’s failings.
The ICO’s report said attackers accessed a wide range of highly sensitive information, including full bank and credit card details, biometric data, passport information, login details and data about children, and that the types of data exposed varied between affected individuals. The breach affected 325 of the more than 600 organisations that rely on Capita’s services, the regulator said.
According to the ICO, the incident began in March 2023 with a malicious JavaScript download that led to the installation of Qakbot malware and use of the Cobalt Strike tool. The regulator said Capita’s security operations centre failed to act on high‑level alerts and did not contain the compromise for 58 hours; the attacker logged into a staff device using a backup admin account roughly four hours after the initial compromise. The ICO added that traces of Kerberos credential harvesting suggested Active Directory may have been compromised and that three earlier penetration tests had identified the same backup account vulnerability that was not remediated.
The ICO said Capita’s endpoint detection system logged credential recovery activity more than 24 hours after the first compromise but the infected device was not quarantined until March 24. By then the attacker had obtained domain administrator access, moved laterally across multiple domains and exfiltrated about 1 TB of data using SystemBC and Rclone. Ransomware was deployed on at least 1,057 hosts and a global password reset affected 59,359 accounts; Capita reported the incident to the ICO after those events, the report states.
The ICO initially proposed a £45 million penalty but reduced the amount after Capita demonstrated security improvements, provided victim support and cooperated with authorities including the National Cyber Security Centre, the regulator said. Capita recorded £116.6 million in profit after tax for calendar 2024, meaning the fine is roughly 12 percent of that figure. Data from Tussell shows the government has since awarded Capita 241 contracts worth about £6 billion.
Capita said it regretted the incident and is committed to improving its systems; the company said its new leadership had accelerated a cybersecurity transformation. John Edwards, the UK Information Commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people,” and warned that no organisation is too large to ignore its responsibilities, the ICO report quoted him as saying.