A company has been fined £14m for failing to keep data safe during a cyber attack, which resulted in more than six million people having their data stolen.
Sensitive information, such as pension records, details of criminal convictions and other financial data, were taken by cyber attackers from outsourcing specialist and government contractor Capita in March 2023.
The company was left “at significant risk”, the UK privacy watchdog said, as it failed to ensure secure processing of personal data.
Money blog: Major changes to vet prices proposed after investigation
Capita also lacked appropriate technical and organisational measures to effectively respond to the attack, the Information Commissioner’s Office (ICO) said.
The scale and impact of the attack could have been prevented if sufficient security measures were in place, the ICO added.
Please use Chrome browser for a more accessible video player
Are we in a cyber attack ‘epidemic’?
Rather than responding to a high-priority security alert in an hour, as is the target response time, Capita took 58 hours and its security operations centre was understaffed, the regulator said.
The delay meant a malicious file, accidentally downloaded by an employee to their device, was not quarantined and the attacker was able to exploit systems.
As well as those impacted by the breach suffering anxiety and stress, the ICO said there are problems of wider trust among the public from a large company like Capita falling short. It employs roughly 35,000 people globally.
The company avoided a fine of £45m as it admitted liability, implemented improvements after the attack, offered support to affected individuals and engaged with other regulators and the UK’s cyber agency, the National Cyber Security Centre (NCSC).
Adolfo Hernandez, Capita’s chief executive, said: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment.
“As a result, we have hugely strengthened our cyber security posture, built in advanced protections and embedded a culture of continuous vigilance.”
A spate of major attacks
It comes as the NCSC on Tuesday revealed a 50% jump in significant attacks in Britain by criminals and hostile states.
In recent months, high-profile companies such as Jaguar Land Rover, Marks and Spencer and the Co-Op have had their operations hit by attacks.
The economic impact of good cyber security was highlighted by the ICO on Wednesday.
A warning to other companies
“With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure,” said the UK Information Commissioner John Edwards.
Businesses are advised to prioritise investment in key security controls, regularly monitor for suspicious activity and respond to initial warnings and alerts in a timely manner.
