-Capita has been fined 14 million pounds ($18.7 million) for failing to protect personal data during a 2023 cyber attack, the British outsourcing firm said on Wednesday, as part of a settlement with the UK’s privacy watchdog.
The company, which provides business support services to government and corporate clients, disclosed in 2023 that the breach compromised some data on its servers and estimated a financial impact of up to 20 million pounds.
The incident compromised the personal data of 6.7 million individuals, as per an Information Commissioner’s Office report published on Wednesday.
Capita said it has since strengthened its cyber security measures and built in advanced protections.
The settlement underscores rising regulatory pressure on UK firms hit by cyber attacks, amid heightened scrutiny following high-profile breaches at Marks & Spencer, Co-op and luxury carmaker Jaguar Land Rover.
“With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure,” said John Edwards, UK Information Commissioner.
ICO said Capita failed to implement adequate measures to prevent privilege escalation and unauthorised lateral movement through its network, and did not respond effectively to security alerts.
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter,” Capita CEO Adolfo Hernandez said in a statement.
The company now expects to record a free cash outflow of 59 million-79 million pounds for 2025, up from previous estimates of 45 million-65 million pounds. All other annual and mid-term targets remain unchanged.
“Highly significant” cyber incidents have doubled in Britain year-on-year, the head of National Cyber Security Centre (NCSC) said on Tuesday.
($1 = 0.7493 pounds)
