A company has been fined £14m for failing to keep data safe during a cyber attack, which resulted in more than six million people having their data stolen.
Sensitive information, such as pension records, details of criminal convictions and other financial data, were taken by cyber attackers from outsourcing specialist and government contractor Capita in March 2023.
The company was left “at significant risk”, the UK privacy watchdog said, as it failed to ensure secure processing of personal data.
Money blog: Major changes to vet prices proposed after investigation
Capita also lacked appropriate technical and organisational measures to effectively respond to the attack, the Information Commissioner’s Office (ICO) said.
The scale and impact of the attack could have been prevented if sufficient security measures were in place, the ICO added.
Rather than responding to a high-priority security alert in an hour, as is the target response time, Capita took 58 hours and its security operations centre was understaffed, the regulator said.
The delay meant a malicious file, accidentally downloaded by an employee to their device, was not quarantined and the attacker was able to exploit systems.
As well as those impacted by the breach suffering anxiety and stress, the ICO said there are problems of wider trust among the public from a large company like Capita falling short. It employs roughly 35,000 people globally.
The company avoided a fine of £45m as it admitted liability, implemented improvements after the attack, offered support to affected individuals and engaged with other regulators and the…
