The UK’s data watchdog has fined outsourcing firm Capita £14m after the personal data of 6.6 million people was stolen in a cyber-attack.
The Information Commissioner’s Office (ICO) said Capita “failed to ensure the security of processing of personal data which left it at significant risk”.
The fine was originally set at £45m but reduced after discussions between Capita and the watchdog.
Capita’s boss Adolfo Hernandez said the firm was “pleased to have concluded this matter and reached today’s settlement”.
He said the company had “hugely strengthened” its cyber-security resilience and was vigilant.
Capita provides professional and outsourcing services in a number of different fields for the public and private sectors.
It made £2.4bn in revenue last year, according to its latest annual report.
After the hack in March 2023, it emerged Capita had left a pool of data unsecured online.
Information apparently containing Capita data – including home addresses and passport images – began to circulate on the dark web.
The ICO said financial data had been stolen, and in some cases details of criminal records had been hacked.
Capita also manages administration for more than 600 pension schemes, and 325 of them were affected.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” said Information Commissioner John Edwards.
“The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
The proposed £45m fine was taken down to £14m after Capita argued it had made improvements to its cyber-security, offered support for people affected and engaged with other regulators and the National Cyber Security Centre (NCSC).
Earlier this year, retailer Co-op was hit by a hack where the details of all of its roughly 6.5m customers was stolen.
This came among other high-profile cyber-attacks to M&S, Harrods and Jaguar Land Rover.
On Tuesday, the NCSC confirmed there had been an increase in nationally significant attacks this year.
It came as the government wrote to bosses around the country advising them to have their contingency plans written down on paper, in case they lose access to their computers in a hack.
