Capita will not appeal a £14m regulatory penalty for security failings that led to a 2023 data breach impacting nearly seven million people, according to the Information Commissioner’s Office (ICO).
The UK data protection regulator said it initially intended to fine the outsourcing giant £45m. However, it decided that improvements made by Capita after the attack, support offered to affected individuals, and engagement with other regulators and the National Cyber Security Centre (NCSC) were enough to reduce the penalty by 69%.
In March 2023, a Capita employee unwittingly downloaded malware to their device after being targeted by a threat actor working with the Black Basta ransomware group.
Although a “high priority security alert” was raised within 10 minutes, the device wasn’t quarantined for a further 58 hours, enabling the threat actor to escalate privileges and move laterally to other parts of the network, according to the ICO.
Nine days after the initial breach, on March 31 2023, ransomware was deployed on the Capita network and the threat actor changed all user passwords, locking employees out.
Data stolen by Black Basta included pension and staff records, and sensitive information belonging to customers of Capital clients – such as criminal records, financial data and special category data, the ICO said. Over half (325) of the 600 Capita Pension Solutions clients were impacted.
Last year 8000 claimants brought a High Court case against Capita.
The company also ran billions of pounds worth of government contracts at the time, for clients including the NHS, HM Prison and Probation Service, the Royal Navy and many others.
A Catalog of Errors
According to the ICO, Capita infringed the UK GDPR by failing to “implement appropriate technical and organisational measures” such as:
- Failing to prevent privilege escalation and unauthorised lateral movement: There was no “tiering model” (a key tenet of privileged access management) for admin accounts, despite this oversight being flagged on several occasions
- Failing to respond appropriately to security alerts: Capita took 58 hours to respond despite a target response time of just one hour, which was partly due to understaffing in its Security Operations Center (SOC)
- Inadequate pen testing and risk assessment: Systems processing millions of records were only given one pen test after being commissioned and findings were siloed in business units so identified risks weren’t addressed across the business
Information commissioner, John Edwards, argued that the incident could have been prevented had “sufficient security measures” been put in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity,” he continued.
“As our fine shows, no organization is too big to ignore its responsibilities.”
Responding to the news, Capita CEO Adolfo Hernandez stressed the “cybersecurity transformation” that the business has undergone since the incident.
“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance,” he said in a statement.
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement.”
The ICO urged organizations to proactively address security risks by:
- Ensuring least privilege principles are enforced and taking other steps to prevent lateral movement
- Regularly monitoring for suspicious activity and responding promptly to alerts
- Sharing the findings of pen tests across the entire organization
- Prioritizing investment in key controls to ensure they’re working properly
- Checking “agreements and responsibilities” between data controllers and processors
Image credit: Ahyan Stock Studios / Shutterstock.com
