Capita fined £14M after 58-hour delay exposed 6.6M records The UK's Information Commissioner's Office (ICO) has issued a £14 million ($18.6 million) penalty to outsourcing giant Capita following a catastrophic 2023 cyberattack that exposed the personal data of 6.6 million people. The fine breaks down as £8 million ($10.6 million) for Capita plc and £6 million ($8 million) for Capita …
John Edwards, UK Information Commissioner, said: "Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
I'm willing to bet that the vast majority of these people didn't willingly entrust their data to Crapita at all, and that this was done so either without their explicit knowledge, or in the small print that nobody reads of their agreement with whoever it was they actually "entrusted" their data to. I also strongly suspect there was no real choice given to people about whether they explicitly gave that trust or not, if these are things like pension schemes, where your option is "pay in, or don't".
Indeed - it seems from the report that some contracts awarded to Crapita by its clients were on the basis of it being a "Data Processor" under the legislation - what we now need is additional follow up investigations from the ICO to those organisations that contracted with Crapita, who would legally be the "Data Controller", and therefore primarily responsible for the data of their users
If those organisations are not also penalised for basing their decisions on "cheapest wins", then ultimately nothing will change
"ICO makes example of outsourcing giant "
Capita. 2024 revenue : £2.4 billion.
Fine ? 0.58% of annual revenu.
You call that an example ? I call that pocket change. The CEO probably has that lying in his sofa cushions.
You want to make an example ? 10% of 2.4 billion is 240 million.
Fine them that and watch them scramble for it to never happen again.
Make 'em sweat, instead of going to a restaurant to celebrate after your piddling little "fine".
I would guess that any fine will be added to the government's bill for their future outsourcing to Capita, under additional, essential expenditure (supply chains, invasion of Ukraine, Covid, taxiffs, Cost of Living Crisis etc). If they had increased the fine, they would end up paying more. The Royal Mail got fined £21m today, so I guess postage rates will be going up again soon. That's how it works.
Quote: Microsoft's security best practices.
That bit made me laugh.
Seems very reasonable to me, and should be expanded to other areas of law. If I had a gun and shot somebody with it, I should be able to negotiate my prison time down by telling the judge that I have a nice case for it now and probably won’t shoot anybody else in the future.
That sounds very like Deferred Prosecution Agreements in the USA that some are keen on bringing to the UK. Corporate versions of Plea Bargaining. John Oliver’s Excoriation of it is fab.
https://m.youtube.com/watch?v=xNo8Ve-Ej6U
https://www.cliffordchance.com/content/dam/cliffordchance/briefings/2012/05/deferred-prosecution-agreements-and-us-approaches-to-resolving-criminal-and-civil-enforcement-actions.pdf
... want to make an example ? 10%
Example, you say?
That is not an example, it is just part of the cost of doing business to these scumbags.
Fine them for an amount that will keep them from paying any dividends for 2 or 3 years.
That is an example.
ie: one that will get their shareholders take notice and make sure that it never (ever) happens again.
.
Another weak sweetheart deal hugely reducing the original fine … just like the British Airways debacle.The regulatory fines are supposed to be impact based, showing improved after the event behaviours does not reduce the impact.
The ICO is - another statutory regulator - not fit for purpose.
Napkin maths says it is about £2.12 per record.
At £2.12 per record, Capita’s penalty roughly aligns with black-market retail value of low-to-medium-value personal data, but far below what regulators could impose under GDPR (up to 4 % of global turnover).
In other words ICO is having a laugh.
Crapita have sucked up lots of companies so that they can claim to provide a whole range of services. Indeed they do provide a wide range of services, most of which they do badly. I have experience of their recent services provided to UK military recruitment.
Nah, you don't seed soldiers / sailors and airmen to man a recruiting office, Capita can do it for you.
"In 2017-18, Capita recruited 6,948 fewer regular and reserve soldiers and officers than the Army's target. The shortfall has been largest for regular soldiers." [Hansard]
Crapita have also screwed teachers' pensions. My friend's wife has had to retire due to ill health and is still (4 months on) waiting for a proper pension valuation.
About 7-8 years ago they bought out a smallish but very good network provider, and promptly sacked or "redeployed" all of the best engineers in the name of cost saving. My old business centre used the small company as they were local but have now binned Crapita off due to the poor service and high costs.
There must be some really big brown envelopes being handed out for this shower to continue getting government contracts.
But of course the much-vaunted Digital ID scheme won't suffer from c*ck-ups, leaks, attacks or exposures at all. Never. No-one will lose their data, no-one will find they suddenly have a criminal record or have never made a mortgage payment. It will be perfect in every way and 'will have safeguards which will make it vitually hack-proof'.
My CVs were held by the Capita *pension* company, seeing as I left as a retiree in 2016. Why was it necessary for the pension arm to hold that data? Why was my CV data not purged shortly after I retired? CVs because Capita had my ‘regular’ CV, suitable for general (IT/IS) employment and a security-cleared version, subject to OSA restrictions: the personal and family safety risks are of continuing great concern.
"Capita's response
The ICO's full incident report shows how Capita attempted to argue on multiple occasions that ICO officials did not have the regulatory remit to comment on its security posture. In most of these cases, the ICO disagreed."
Crapita can't even sort out its own security itself so it can't moan that it thinks the ICO can't comment on its shit security.
I confess to having to look that one up.
So some moron, somewhere, was looking at something they shouldn't have been looking at and clicked on a malicious link.
Do crapita have any explanation regarding how it happened and why it isn't going to happen again?
I don't use Windows and while I might choose to bring the usual axe, I am curious as I thought executables required admin rights.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
