PA MediaOutsourcing giant Capita has been fined £14 million by the Information Commissioner’s Office (ICO) for failing to protect personal data after hackers stole 6.6 million people’s information during a cyber attack in 2023.
The data watchdog said the breach in March 2023 saw the hackers access information including pension details and staff records, as well as details of customers of organisations Capita supports.
In some cases this included sensitive information such as details of criminal records, financial data or so-called special category data, which can include race, religion and sexual orientation.
The ICO fined Capita £8 million and a further £6 million for Capita Pension Solutions, which processes personal information on behalf of more than 600 groups providing pension schemes, with 325 of these organisations also impacted by the data breach.
John Edwards, UK information commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people.
“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
The ICO said Capita had failed to ensure the security of processing of personal data, which left it at “significant risk”, adding that the company also lacked “appropriate technical and organisational measures to effectively respond to the attack”.
The ICO had initially proposed a combined fine of £45 million, but said this was reduced as part of a voluntary settlement and as it took into account actions by Capita following the hack to improve its systems, offer support to those impacted and engage with cyber authorities and regulators.
Capita said: “We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”
Capita chief executive Adolfo Hernandez, who took on the role in 2024, said the firm was “among the first in the recent wave of highly significant cyber attacks on large UK companies”.
He added: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment.
“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
Follow STV News on WhatsApp
Scan the QR code on your mobile device for all the latest news from around the country
