ICO Slams Pension Company for Exposing Personal Data of 7 Million People
Pension scheme support company Capita's failure to process personal data securely or effectively respond to a cyberattack earned it a fine of 14 million pounds ($18.7 million) from the U.K. ICO, the watchdog announced Wednesday. The fine was part of an agreed settlement in which Capita admitted liability and declined to appeal.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The cyberattack occurred in March 2023, the ICO said. Personal data of 6.6 million people was stolen, from pension records and staff records to the details of customers of organizations Capita supports. The information also included sensitive data such as criminal records.
The cyberattack began when an employee unintentionally downloaded a malicious file onto a device, the watchdog noted. Despite issuing a high-priority security alert within 10 minutes of the breach and taking automated action, Capita didn't quarantine the device for 58 hours, during which the attacker exploited its systems.
The ICO's investigation showed that Capita lacked the appropriate technical and organizational measures to protect the data it held. Among other problems, the company failed to respond appropriately to security alerts and its security operations center was understaffed. In addition, Capita's penetration testing and risk assessment were inadequate.
ICO recommendations included that companies regularly monitor for suspicious activities and respond to warnings and alerts in a timely manner; and that they prioritize investment in key security controls.
"With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure," said Information Commissioner John Edwards.