A data breach affecting over six million people has resulted in a £14 million fine for professional services firm Capita following an investigation by the UK Information Commissioner’s Office (ICO).
The fine is split between Capita Plc and Capita Pension Solutions, which have been billed £8 million and £6 million respectively for the March 2023 attack.
According to the ICO, the UK’s data protection authority, Capita failed in three areas: preventing privilege escalation and unauthorized lateral movement, responding appropriately to security alerts, and penetration and risk assessment.
The attack began on 22 March 2023 after an employee downloaded a malicious file, and an alert was issued within just 10 minutes. However, the company failed to act on this alert for over a day – 58 hours in total versus a target response time of one hour.
A lack of tiering for admin accounts also enabled the attacker to escalate privileges and move laterally across multiple domains, the ICO found.
According to the data protection watchdog, these actions were flagged on at least three occasions as a vulnerability but none were acted on. Ultimately this enabled the attacker to gain access to critical data, nearly one terabyte of which was exfiltrated.
On 31 March – nine days after the attack started – the threat actor deployed ransomware onto the company’s systems and reset all user passwords.
In total, 6.6 million people had their personal information stolen from Capita’s systems, including pension records, staff records, and the details of customers of organizations supported by Capita.
John Edwards, the UK’s information commissioner, said: “The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”
“Maintaining good cybersecurity is fundamental to economic growth and security,” Edwards continued. “Every organization, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
In response to the settlement, Capita said it’s “committed to upholding the security of its data and protection of our systems for our clients and their customers”.
The company added that it has contacted everyone affected or potentially affected by the breach.
Capita’s CEO Adolfo Hernandez, who joined the company a year after the attack, added: “When I joined as CEO … I accelerated our cybersecurity transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
