In October, the ICO announced that it had issued fines totalling £14 million to Capita. Capita plc was fined £8 million and Capita Pension Solutions Limited (CPSL) was fined £6 million. Capita has accepted the fines and will not appeal. These fines arose from a March 2023 cyber attack and personal data breach that saw hackers steal the personal data of over 6.5 million people.
The ICO found that:
- Capita plc had infringed Articles 5(1)(f), 32(1) and 32(2) of the UK GDPR (which relate to security of personal data) in its capacity as data controller.
- CPSL had also infringed Articles 32(1) and 32(2) of the UK GDPR in its capacity as data processor.
In particular, the ICO found that Capita had failed to ensure the security of personal data because it had not implemented and used appropriate technical and organisational measures to protect personal data, as required by the UK GDPR.
Impact of the personal data breach
The personal data stolen included pension and staff records and in some cases details of criminal records, financial data and special category data (including information about health, political beliefs and sexual orientation).
In addition, the personal data breach extended beyond Capita as CPSL processes personal data on behalf of over 600 third party organisations providing pension schemes, and over half of those organisations were also impacted.
John Edwards, UK Information Commissioner, said in relation to the breach:
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure”.
Lesson 1
Have appropriate, industry standard processes and policies in place and comply with them.
This incident illustrates the importance of having appropriate security processes and procedures in place including:
- Appropriate system monitoring to detect and flag security alerts which are promptly and appropriately responded to.
- Applying the “principle of least privilege” (i.e. restricting the access privileges of users to the minimum necessary to accomplish their role or function).
- Preventing unauthorised privilege escalation (i.e. the ability to gain higher-level permissions on a system).
- Preventing unauthorised lateral movement (the ability, once access to a system has been gained, to move around the system more widely).
In this case, the cyber attack began when a malicious file was unintentionally downloaded onto an employee device. This triggered a high priority P2 security alert within 10 minutes and some immediate automated action being taken, but crucially Capita did not quarantine the affected device for 58 hours (Capita’s internal policies required 95% of P2 alerts to be responded to within one hour). The ICO found Capita’s Security Operations Centre was understaffed, and in a period of at least six months before the incident fell well below Capita’s own target response times for responding to security alerts.
The malicious file enabled the deployment (over 4 hours later) of malicious software onto part of Capita’s network and once in, the hacker was able to gain administrator permissions and access the Capita network more widely. Nearly one terabyte of data was exfiltrated and then ransomware was deployed and the hacker was able to reset all user passwords preventing system access.
Lesson 2
Carry out appropriate penetration testing (at regular intervals) and deal with material issues which are identified as soon as possible.
Capita systems affected by the incident, which were processing millions of records, were only subject to a penetration test when they were being commissioned and were not subject to any subsequent penetration testing.
More generally though, it was known that Capita’s failure to implement a tiering model for administrative accounts (meaning privileges could be escalated to allow for lateral movement across systems), caused vulnerabilities in Capita systems. This risk was raised on at least three separate occasions but was not made known across the organisation (rather they were siloed in separate Capita business units) and were not universally remedied across Capita.
Whilst no system can be completely secure and the pace of change is hard to keep up with, organisations should prioritise investment in key security controls and resolution of material risks.
Lesson 3
How well an organisation responds to a breach is taken into account when the ICO considers enforcement action and levels of fines.
In its notice of intent (to fine) Capita, the ICO proposed a fine totalling £45 million. However, following representations from Capita and consideration of mitigating factors, the ICO reduced the fine to £14 million.
In particular, the ICO highlighted:
- Improvements made by Capita after the attack.
- Support offered to affected data subjects – Capita offered 12 months of credit monitoring to affected data subjects and set up a dedicated call centre for them as well.
- Engagement by Capita with regulators and the National Cyber Security Centre.
- Capita’s full admissions of the ICO’s findings of infringement and its agreement to pay the £14 million fine and not appeal.
Want to read more?
