.png)
7 hours ago
1
The UK's Information Commissioner's Office (ICO) has issued a £14 million ($18.6 million) penalty to outsourcing giant Capita following a catastrophic 2023 cyberattack that exposed the personal data of 6.6 million people.
The fine breaks down as £8 million ($10.6 million) for Capita plc and £6 million ($8 million) for Capita Pension Solutions. The breach affected 325 of the 600-plus organizations that rely on Capita's services, compromising sensitive employee and pension records.
The ICO's full report into Capita's failings [PDF] revealed the attackers accessed highly sensitive information, including full bank and credit card details, biometrics data, passport information, login details, child data, and more. The data exposed varied for each of the 6.6 million individuals caught up in the breach.
John Edwards, UK Information Commissioner, said: "Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
"When a company of Capita's size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organization is too big to ignore its responsibilities.
The ICO initially planned to fine the outsourcer £45 million ($60.1 million), but but reduced it after Capita demonstrated security improvements, provided victim support, and cooperated with authorities including the National Cyber Security Centre.
Capita recorded £116.6 million ($155.5 million) in profit after tax for calendar 2024, meaning the fine equates to around 12 percent of this figure.
According to Tussell data, since the mega breach, the UK government has awarded Capita 241 contracts worth a combined £6 billion ($8 billion), although there is little mention of cybersecurity responsibilities in any of them.
Dissecting the attack
At the heart of the failures was Capita's slow response to the initial intrusion in March 2023, with crucial containment measures not enacted for 58 hours after its systems detected a potential compromise.
It all started with a malicious JavaScript download. How this was triggered remains unknown, but is believed to be a drive-by-download, since Microsoft's report into the attack did not find evidence of phishing.
The attacker then installed Qakbot malware and the widely abused Cobalt Strike pentesting tool.
Capita's security operations center (SOC) failed to respond to a high-level P2 alert, and a missed SLA alert, which were created after the JavaScript download.
The attacker then logged into a staff device using a backup admin account, 4 hours and 21 minutes after the initial compromise at 07:52 on March 22, 2023.
The ICO's analysis states there were traces of Kerberos credential harvesting at play and it is likely Capita's Active Directory was compromised. The attacker may have cracked a hashed password to gain access and log into the backup admin account.
In a series of critical failures, CAPITA\backupadmin service account violated Microsoft's security best practices: It had domain admin privileges instead of least-privilege access; lacked device access restrictions; wasn't monitored for compromise; had no tiered access model; and it lacked privileged access management (PAM) controls.
The attacker leveraged this account to pivot into eight other Capita domains. Notably, three previous penetration tests dating back to August 2022 had identified this exact vulnerability, but Capita took no corrective action.
More than 24 hours after the initial compromise, Capita's Trellix EDR system detected Qakbot recovering and decrypting usernames and passwords from the staff device. The SOC didn't quarantine the infected device until March 24 — 58 hours after the JavaScript download.
Despite Capita's stated 45-minute response time for P2 alerts (with a 1-hour SLA), the company took 57 hours. The ICO noted that Qakbot and Cobalt Strike should have triggered an immediate P1 alert that demanded immediate remediation, not P2.
By the time Capita responded, as the attacker had already established a persistent foothold in the network and gained access to a domain admin account, allowing them to move laterally around the network.
- Southern Water uses Capita's AI tool to flush customer complaints
- Capita's Northern Ireland school IT deal swells to over half a billion after Fujitsu exit
- UK energy watchdog slaps down Capita's £130M smart meter splurge
- Capita wins £135M extension on much-delayed UK smart meter rollout
For four days – March 24-28 – they conducted network reconnaissance using Cobalt Strike and Bloodhound before Capita detected three compromised staff devices and contained them.
The ICO noted that Capita had just one SOC analyst on duty across the entire company at the time of the incident. This was despite consistently missing its P2 alert SLA targets (mostly below 30 percent since November 2022 against a target of 95 percent), and the number of its P2 alerts rising 100 percent in the six months prior to the attack.
The attacker began extracting data using SystemBC and Rclone, stealing approximately 1 TB of information within 24 hours.
In its analysis of the attack, the ICO said: "Capita has still not shown that the systems from which personal data was exfiltrated had ever had a penetration test at any point. Furthermore, there is no evidence that Capita had ever undertaken an internal audit of the security of these business units from which personal data was exfiltrated."
In the early hours of March 31, the attacker deployed ransomware on at least 1,057 hosts and triggered a global password reset of 59,359 accounts, after which time the outsourcer reported the ordeal to the ICO.
Capita had mostly recovered by April 6, but its full system restoration was staggered until May 17, when 99 percent of systems were available. It reached 100 percent uptime by "mid-June 2023."
Capita's response
The ICO's full incident report shows how Capita attempted to argue on multiple occasions that ICO officials did not have the regulatory remit to comment on its security posture. In most of these cases, the ICO disagreed.
In a statement responding to today's fine, Capita said it regrets the incident and is committed to improving its systems.
Adolfo Hernandez, CEO at Capita, said: "As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies."
"When I joined as CEO the year after the attack I accelerated our cybersecurity transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance."
"Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today's settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people, and wider society."
Edwards at the ICO said: "With so many cyberattacks in the headlines, our message is clear: every organization, no matter how large, must take proactive steps to keep people's data secure. Cybercriminals don't wait, so businesses can't afford to wait either – taking action today could prevent the worst from happening tomorrow."
®
