Capita fined 14 million after it 'failed to ensure the security' of of personal data

Capita fined 14 million after it 'failed to ensure the security' of of personal data

Briefly

"A data breach affecting over six million people has resulted in a £14 million fine for professional services firm Capita following an investigation by the UK Information Commissioner's Office (ICO). The fine is split between Capita Plc and Capita Pension Solutions, which have been billed £8 million and £6 million respectively for the March 2023 attack. According to the ICO, the UK's data protection authority, Capita failed in three areas: preventing privilege escalation and unauthorized lateral movement, responding appropriately to security alerts, and penetration and risk assessment."

"The attack began on 22 March 2023 after an employee downloaded a malicious file, and an alert was issued within just 10 minutes. However, the company failed to act on this alert for over a day - 58 hours in total versus a target response time of one hour. A lack of tiering for admin accounts also enabled the attacker to escalate privileges and move laterally across multiple domains, the ICO found."

"On 31 March - nine days after the attack started - the threat actor deployed ransomware onto the company's systems and reset all user passwords. In total, 6.6 million people had their personal information stolen from Capita's systems, including pension records, staff records, and the details of customers of organizations supported by Capita. John Edwards, the UK's information commissioner, said: "The scale of this breach and its impact could have been prevented had sufficient security measures been in place.""