The head of data protection at Barings Law has said the £14 million fine issued to Capita by the Information Commissioner’s Office is not a sufficient punishment for its data breach.
Barings, based in Manchester, has pursued legal action against Capita since 2023 – a separate action to the ICO fine – to expose what it calls “inadequate cybersecurity procedures” at the firm.
In issuing the fine, the ICO said today that Capita had failed to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.
Adnan Malik at Barings says the punishment is a clear confirmation that Capita failed to uphold the data security of its customers and systems – but will “do little to set right the harms caused”.
The ICO initially informed Capita of its provisional intention to fine it a combined total of £45m. Capita then submitted representations and mitigating factors on the provisional decision, which the ICO considered. This included the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.
The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the ICO’s decision and admitted liability, agreeing to pay a final penalty of £14m without appealing.
“Although a substantial sum, the ICO’s penalty represents less than 1% of Capita’s annual revenue, which last year exceeded £2 billion,” said Malik.
“It does little to set right the harms caused by the firm’s inadequate cybersecurity procedures, which led to the loss of highly sensitive data including benefits and pension records.
“Barings Law has fought for more than two years to expose these failures and to make Capita fully accountable.”
Barings Law has been undertaking legal action on behalf of affected individuals against Capita since just after the breach was reported in 2023. Since then, more than 8,000 people have registered with the firm.
He added: “The ICO fine changes nothing about our ongoing claim. If anything, we would expect that this will mean our case progresses more quickly.”
The cyber attack took place in March 2023. The personal information of 6.6m people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. This included sensitive information such as details of criminal records, financial data or ‘special category’ data.
Capita Pension Solutions Limited processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.
The ICO’s investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack.
“We are seeing an increasing number of data breaches against other major firms, which are incredibly damaging to people’s finances, privacy and trust. This fine, and mounting legal proceedings, should be a wake-up call to any firm still playing fast and loose with its customers’ data,” added Malik.