Capita, the United Kingdom’s largest outsourcing company, was on Wednesday fined £14 million ($18.7 million) over security failings that saw attackers compromise the personal information of 6.6 million people in a ransomware attack in 2023.

The voluntary settlement is for less than a third of the £45 million ($60 million) Britain’s data protection regulator had initially intended to impose, but remains the largest fine the Information Commissioner’s Office (ICO) has ever issued in a ransomware case.

Despite Capita initially stating there was “no evidence of customer, supplier or colleague data having been compromised,” the company and its pensions subsidiary were found to have exposed data about the  pensions it handles, Capita’s own staff and customers from other organizations Capita supports.

The compromised data included names, addresses and dates of birth, as well as financial information such as credit and debit card numbers and CVVs. The ICO said it received complaints from people who were concerned money had been stolen from their accounts as the result of the data breach.

“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” stated John Edwards, the Information Commissioner.

Following media reports that staff were locked out of their accounts, Capita confirmed a cyberattack had taken place on April 3, 2023. It issued a statement to the governmental Regulatory News Service stating that “immediate steps were taken to successfully isolate and contain the issue.” 

This claim appears to contrast with the ICO’s findings. According to the regulator’s monetary penalty notice, after a malicious JavaScript file was downloaded onto an employee device on March 22, 2023 the compromised device was not quarantined for 58 hours, ultimately allowing the attackers to further access the company’s network and deploy ransomware.

The ICO said Capita had provided contradictory information about how quickly it had responded to the initial access. It is a crime under British financial laws, in particular Section 89 of the Financial Services and Markets Act, to publish misleading statements to the market. No regulators have made such a finding in Capita’s case.

A spokesperson for Capita told Recorded Future News: “We did take some immediate steps to contain the issue, as has been acknowledged by the ICO. We do not believe we are in breach of Section 89 of the Financial Services and Markets Act 2000.”

Qakbot infection

After the initial compromise, the threat actor downloaded the Qakbot malware and the Cobalt Strike intrusion tool onto Capita’s systems. Around 29 hours after the initial access, Capita’s security platform McAfee/Trellix identified Qakbot recovering and decrypting usernames and passwords from compromised devices’ browsers. 

The malicious JavaScript file had generated a “Priority 2” alert in Capita’s endpoint detection and response (EDR) software. The ICO found that a properly configured EDR tool should have upgraded the threat to “Priority 1” after detecting the Qakbot and Cobalt Strike infection.

Capita then manually took three separate devices offline on March 28 after noticing suspicious activity. The ICO listed a range of security failings, including an understaffed Security Operations Centre (SOC), which usually only had only one analyst on per shift; and the lack of automated response and decent escalation protocols.

Over the next two days, the attackers exfiltrated nearly a terabyte of data before deploying ransomware onto Capita’s systems and resetting all user passwords in the early hours of March 31.

The ICO noted that Capita claimed both that the exfiltrated data was “an in an unstructured and unusable format,” meaning the attacker would not have been able to exploit it, and that the company had been “the target of a state sponsored attack” which the ICO noted would, if correct, have meant the perpetrator had “significant resources at their disposal to examine and extract usable data.”

The attack was ultimately claimed by the Black Basta ransomware group, which posted what it alleged were documents stolen from Capita's internal systems. The listing subsequently disappeared from Black Basta's extortion site, a move that often indicates an extortion fee has been paid or is being negotiated. Capita has not commented on whether it made such a payment.

“When a company of Capita’s size falls short, the consequences can be significant,” said Edwards. “Not only for those whose data is compromised — many of whom have told us of the anxiety and stress they have suffered — but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities.”

In a statement on Wednesday, Capita's chief executive said: “Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement.”