AI Autopsy: Capita’s 2023 Breach Laid Bare by the ICO

Phil Muncaster explores what happens when a multibillion-pound outsourcer neglects basic security best practice.

Managed service providers (MSPs) play a vital role in the digital economy, delivering core IT services for their clients which often quite literally keep the lights on. In the case of the big outsourcers, they have the economies of scale, domain expertise and access to talent that even many large enterprises can’t match. Or at least, that’s the argument in favour.

In the “against” column are a growing number of serious security breaches which have exposed clients to significant business risk. JLR, M&S and Co-op are believed to have been breached via the same outsourcer. And now Capita has been fined £14m by the Information Commissioner’s Office (ICO) for a 2023 ransomware attack which the company itself describes as “among the first in the recent wave of highly significant cyber-attacks on large UK companies.”

As detailed in the ICO’s penalty notice, Capita’s shortcomings reveal much about the security challenges facing large enterprises, and the risks of outsourcing critical IT to third parties.

A timeline of events

The incident began on March 22 2023, when threat actors from a Black Basta affiliate accessed the Capita network after infecting an employee device with malicious JavaScript. It’s unclear how they did this, although all signs point to a drive-by-download, as there’s no evidence of phishing. The hackers then downloaded Qakbot and Cobalt Strike to help with post-intrusion activity.

“The case should remind CISOs to take a dispassionate, risk-based approach to security strategy”

Within an hour, a “high alert” was sent to the Capita Security Operations Centre (SOC), but crucially it took a further 57 hours before the SecOps team took action, quarantining the device, running AV and changing passwords. By that time, the threat actors had already achieved privilege escalation and were recovering and decrypting usernames and passwords from browsers on the compromised device.

Having gained a foothold in the Capita network, they spent the next few days using Cobalt Strike and Bloodhound for lateral movement and discovery. Only on March 29 did Capita invoke an “internal Major Incident Management process” and engage a third party for forensic support.

That same day, the threat actors began exfiltrating almost a terabyte of data, impacting 6.6 million individuals. This included names, addresses, NI numbers, passport and driver’s license scans, bank account numbers and sort codes, credit and debit card scans, and biometrics data. More concerning still, it also included special category data including information on medical details, sexual orientation, criminal records checks, political beliefs and trade union membership.

On March 31, they downloaded ransomware to Capita’s systems and initiated a global password reset which affected over 59,000 accounts.

It’s unclear which clients were affected, but we do know that Capita ran government accounts worth billions of pounds, with clients including the NHS, HM Prison and Probation Service and the Royal Navy. The ICO also revealed that over half of the firm’s 600 Capita Pension Solutions clients were affected by the breach.

Although Capita said that 100% of its services were back online by mid-June 2023, it repeatedly underestimated the number of data subjects impacted by the breach. Even as recently as September 2024, it claimed that only “631,816 data subjects for whom Capita was the data controller had personal data exfiltrated”, according to the ICO.

Some key ‘technical and organisational’ failings

The regulator’s investigation concluded that Capita had failed to meet a key requirement of the UK GDPR: use of “appropriate technical and organisational measures” for the processing and safeguarding of personal data. Specifically, it failed to:

• Prevent privilege escalation and unauthorised lateral movement. The ICO argues that Capita failed to implement a “tiered model” for its admin accounts, which could have reduced the attack surface in line with least privilege approaches. This oversight was apparently flagged three times without being remediated
• Respond “appropriately” to security alerts. The ICO says Capita’s SOC was understaffed and “fell well below” its target response times for security alerts – leading to the crucial 58-hour delay
• Test its systems for vulnerabilities and misconfigurations. Even systems containing millions of records of the most sensitive data were subject to only one pen test on commissioning and no more, the ICO claims. Compounding this mistake, any risks spotted by these tests were confined to specific business units and so couldn’t be addressed across the organisation

It’s also worth mentioning a particularly scathing paragraph in the penalty notice, which states that Capita’s cooperation with the ICO investigation “has not gone beyond what would be expected in an investigation in light of the duty required by law”. The ICO says that the firm’s responses did nothing to enable the enforcement process “to be concluded significantly more quickly or effectively”.

“Strategy and management are the indispensable ingredients: the cornerstone, of corporate cyber defence and resilience” Ilia Kolochenko

It adds: “The commissioner also notes that there have been instances where responses to Information Notices have not been as fulsome as they could have been. Capita has also not provided additional information when it was requested by the commissioner, for example in relation to the civil claims it is facing.”

However, it should be noted that Capita still managed to persuade the regulator to cut its original suggested fine down from £45m, due to the support it offered to affected individuals, and engagement with regulators and the NCSC.

Key takeaways for CISOs

The ICO lists various measures that organisations should be proactively taking to avoid the same mistakes as Capita. These include following the NCSC’s guidance on preventing lateral movement and applying least privilege policies across their organisation. It also urges organisations to ensure they have monitoring systems in place to spot suspicious activity, and that alerts are responded to in a timely manner. Pen tests should be shared across the entire organisation so risks can be holistically addressed, and investments prioritised in key security controls to ensure they’re working effectively.

Beyond that, the incident highlights the importance of engaging early with the NCSC and relevant regulators, says Lauren Wills-Dixon, head of privacy at law firm Gordons.

“The ICO looks at harm to individuals in the circumstances, and what is done to prevent or mitigate it,” she tells Assured Intelligence. “In Capita’s case, although there was a 58-hour delay between detecting the breach and implementing crucial containment measures, the ICO took into account Capita’s argument that it had made improvements to its cybersecurity, offered support for those affected and engaged with regulators and the NCSC. As a result, the original proposed fine of £45m was reduced to £14m.”

The case should also remind CISOs of the need to take a dispassionate, risk-based approach to security strategy, according to BCS fellow and cybersecurity practice lead at Platt Law, Ilia Kolochenko.

“Capita’s under-resourced SOC, despite its scale, reveals a growing industry issue: you can’t outsource accountability” Ensar Seker

“Strategy and management are the indispensable ingredients: the cornerstone, of corporate cyber defence and resilience. If they are missing, you are doomed to fail,” he tells Assured Intelligence.

“You might invest millions in penetration testing, but unless there is a well-thought-out strategy behind it – such as an evidence-driven understanding of what systems to test, how frequently and what methodology to use – this will be a waste of money. Use any reasonable methodology and testing frequency, but all of this must be based on a risk assessment and correlated with the identified threats. Otherwise, regulators will go after you.”

Finally, any organisation outsourcing critical IT functions must perform rigorous due diligence on potential suppliers, and follow that up with continuous monitoring, advises SOCRadar CISO, Ensar Seker.

“A failure to enforce privilege separation, repeated neglect of known vulnerabilities, and dangerously delayed alert responses are all red flags of cyber-risk normalisation: when an organisation accepts subpar security hygiene as business as usual,” he tells Assured Intelligence.

“Capita’s under-resourced SOC, despite its scale, reveals a growing industry issue: you can’t outsource accountability. Supply chain security isn’t just about third-party assessments, it’s about continuously verifying the operational maturity of those handling your data. Organisations must ensure that even their biggest suppliers are held to the same or higher security standards as internal teams.”

Capita employs over 34,000 people worldwide and has a reported annual revenue of £2.4bn. Its failings show that CISOs must get smarter about selecting their MSPs.