The Information Commissioner’s Office (ICO) has hit London-headquartered Capita with a £14 million fine after the outsourcing business failed to protect the personal information of millions of customers during a data breach.

During a cyber-attack on the company in March 2023, a hacker stole the data of 6.6 million people, including pension records, staff records, and the details of customers of organisations the business supports.

For some of those impacted by the breach this included sensitive information such as details of criminal records, financial data or special category data.

Following an investigation, the ICO found that Capita had failed to ensure the security of processing of personal data which left it at "significant risk."

The probe also revealed that the organisation lacked the the appropriate technical and organisational measures to effectively respond to the cyber incident.

The attack began on 22 March 2023 when a malicious file was unintentionally downloaded onto an employee device.

The regulator said that while a high priority security alert was raised within 10 minutes of the breach, and some immediate automated action was taken, Capita did not quarantine the device for 58 hours, during which time the attacker was able to exploit its systems.

This file enabled the deployment of malicious software onto the Capita network, which allowed the hacker to stay in the system, gain administrator permissions, and access other areas of the network.

The ICO said that between 29 and 30 March 2023, nearly one terabyte of data was exfiltrated.

On 31 March 2023, ransomware was deployed onto Capita systems, allowing the hacker reset all user passwords, preventing staff from accessing their systems and network.

Capita Pension Solutions Limited, which processes personal information on behalf of over 600 organisations providing pension schemes, was also impacted by the breach, with 325 companies having data stolen.

Capita plc has been fined £8 million and Capita Pension Solutions Limited has been fined £6 million.

“Capita failed in its duty to protect the data entrusted to it by millions of people," said John Edwards, UK information commissioner. "The scale of this breach and its impact could have been prevented had sufficient security measures been in place."

He added that with so many cyber-attacks in the headlines, the ICO's message is clear: "every organisation, no matter how large, must take proactive steps to keep people’s data secure."

"Cyber criminals don’t wait, so businesses can’t afford to wait either - taking action today could prevent the worst from happening tomorrow," continued Edwards.

The ICO initially informed Capita of its provisional intention to fine it a combined total of £45 million.

Capita then submitted representations and mitigating factors on the provisional decision.

This included the improvements made after the attack, support offered to affected individuals ,and engagement with other regulators and the National Cyber Security Centre.

The ICO and Capita have now agreed to a voluntary settlement.

Capita has acknowledged the ICO’s decision and admitted liability, agreeing to pay a final penalty of £14 million.

---