OUTSOURCING giant Capita’s failure to protect the personal data of 6.6 million people has cost it £14m in fines from the Information Commissioner’s Office (ICO).

The company was hit by a cyber-attack in March 2023, which captured pension details, staff records and details of customers of organisations Capita supports – in some cases including details of criminal records and financial data.

The ICO’s investigation noted that while the device compromised by the hack was supposed to have been quarantined within one hour, it actually took 58 hours “despite a high-priority security alert being raised within 10 minutes of the breach."

That sluggish response led the ICO to levy a £8m fine on Capita and another £6m on its subsidiary, Capita Pension Solutions, which processes personal information for 600 organisations providing pension schemes, 325 of which were affected.

UK information commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people.

“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”

Responding to the fine, which comes on top of £25m the firm spent on a clear-up operation and efforts to improve security, Capita said: “We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”

Chief executive Adolfo Hernandez added: “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment.

“As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”