The Information Commissioner’s Office (ICO) has fined Capita and its subsidiary Capita Pension Solutions a total of £14m over a data security breach that affected multiple pension schemes, including the Universities Superannuation Scheme (USS).
Capita was hit by a cyberattack in 2023 that saw the personal data of approximately 6.6 million people stolen, including pension records and other financial data. This included around 470,000 USS members.
The ICO said the fine was for “failing to ensure the security of personal data” related to the breach. It said 325 organisations were affected.
The investigation also found that Capita had “failed to ensure the security of processing of personal data, which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack”.
“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
John Edwards, UK Information Commissioner
USS has since replaced Capita with Procentia as its chosen administration technology provider. There was no suggestion that the incident played a role in USS’s decision to change providers, but the scheme said Capita “chose not to participate” in the tender as its strategy and focus did not align with USS’s long-term needs.
The ICO had initially intended to fine Capita £45m over the incident, but said in a press release today that the company had “submitted representations and mitigating factors”, as well as having offered support to people affected by the data breach and engaging with regulators.
Capita offered credit monitoring services to affected customers, which were used by more than 260,000 people. It also set up a dedicated call centre.
The £14m fine is a “voluntary settlement”, the ICO said.
ICO urges ‘proactive steps’ to boost cybersecurity
John Edwards, UK Information Commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust among the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”
Edwards added that strong cybersecurity was “is fundamental to economic growth and security”, adding: “Every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
How the attack played out
The ICO’s report on the Capita breach states:
“The attack began when a malicious file was unintentionally downloaded onto an employee device on 22 March 2023. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems.
“This file enabled the deployment of malicious software onto the Capita network, allowing the hacker to stay in the system, gain administrator permissions and access other areas of the network. Between 29 and 30 March 2023, nearly one terabyte of data was exfiltrated.
“On 31 March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network. The ICO received at least 93 complaints in relation to this attack.”
