Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The UK’s data watchdog has fined outsourcer Capita £14mn over a data breach in which hackers stole the personal information of more than 6mn people.
The Information Commissioner’s Office on Wednesday said that Capita had “failed to ensure the security of personal data” in the 2023 cyber attack.
The data included details of the customers of organisations Capita worked for, as well as pension records and other “sensitive information” such as criminal records and financial data, the ICO said.
The cyber attack, which began when a malicious file was unintentionally downloaded on to an employee device in March 2023, affected 325 pension schemes. Capita did not quarantine the device for 58 hours and during this time “the attacker was able to exploit its systems”, the ICO said.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” said John Edwards, the UK’s Information Commissioner.
The fine follows a series of increasingly high-profile cyber attacks on UK companies this year, including Co-op, M&S and Jaguar Land Rover.
The attacks have caused security services, such as MI5, to step up their engagement with private companies. The head of the UK National Cyber Security Centre Richard Horne said this week that the private sector must take its cyber defences more seriously.
“With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure,” said Edwards.
The ICO said it had initially planned to fine Capita a total of £45mn, but reduced it after Capita submitted details of “mitigating factors”, including improvements made after the attack.
“Capita has acknowledged the ICO’s decision and admitted liability, agreeing to pay a final penalty of £14mn without appealing,” the regulator said.
Capita said: “Capita is committed to upholding the security of its data and protection of our systems for our clients and their customers. We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”
Read the full article here