The Information Commissioner’s Office (ICO), the data regulator, has fined outsourcing business Capita £14m for failing to protect the security of 6.6m pension savers’ records.

The fine relates to a data breach in 2023 that saw hackers steal millions of people’s information from Capita which was hit with a ‘ransomware’ attack.

Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m, a total of £14m.

The ICO says the cyber attack took place in March 2023. The personal information of 6.6 million people was stolen, from pension records and staff records to the details of Capita customers.

In some cases the data included “sensitive information” such as details of criminal records, financial data or other ‘special category’ data.

Capita Pension Solutions Limited, one of the biggest pension administrators in the UK, held personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also hit by the data breach.  

The ICO’s investigation found that Capita had failed to ensure the security of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack. The ICO said Capita’s Security Operations Centre was understaffed, and at least six months before the incident fell well below the target response times for responding to security alerts.

The ICO said the attack began when a malicious file was unintentionally downloaded onto an employee device on 22 March 2023. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems.

On 31 March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network. The ICO received at least 93 complaints in relation to this attack.

John Edwards, UK information commissioner, said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.

“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.

“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.

The ICO initially informed Capita of its provisional intention to fine it a combined total of £45m. After discussions on mitigating factors, the ICO and Capita agreed a voluntary settlement.

Capita has acknowledged the ICO’s decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing.

• Capita plc was fined for infringing Articles 5(1)(f), 32(1) and 32 (2) of UK GDPR, and Capita Pension Solutions Limited has been fined for infringing Articles 32(1) and 32(2) of UK GDPR.