| Link(s): | Capita fined £14m for data breach affecting over 6m people | ICO Capita plc and Capita Pension Solutions Ltd | ICO capita-plc-and-cpsl-monetary-penalty-notice.pdf |
Context
The ICO has issued a fine of £14m to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information. Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m, a combined total of £14m.
Key points to note and next actions
The cyber-attack took place in March 2023, where personal information of 6.6 million people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data.
Capita Pension Solutions Limited processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.
The ICO’s investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack.