Full Report
ICO makes example of outsourcing giant over sluggish cyber response The UK's Information Commissioner's Office (ICO) has issued a £14 million ($18.6 million) penalty to outsourcing giant Capita following a catastrophic 2023 cyberattack that exposed the personal data of 6.6 million people.…
Analysis Summary
# Capita Fined £14M for 58-Hour Cyber Delay Exposing 6.6M Records
## Key Points
- Capita, a UK outsourcing giant, has been fined £14 million ($18.6 million) by the Information Commissioner's Office (ICO) for a catastrophic 2023 cyberattack that exposed the personal data of 6.6 million people.
- The breach affected 325 organizations and compromised sensitive employee and pension records, including full bank and credit card details, biometrics data, passport information, login details, child data, and more.
- Capita's slow response to the initial intrusion, taking 58 hours to contain the breach, was a major contributor to the fine.
## Threat Actors
- Not specified, but attributed to a malicious JavaScript download that triggered the attack.
## TTPs
- Drive-by-download of malicious JavaScript
- Installation of Qakbot malware and Cobalt Strike pentesting tool
- Use of SystemBC and Rclone to extract data
- Kerberos credential harvesting
- Leveraging domain admin privileges for lateral movement
## Affected Systems
- Capita's services, affecting 325 of the 600-plus organizations that rely on its services
- Specific affected systems: staff devices, business units with sensitive data
## Mitigations
- Implementing security best practices, such as least-privilege access and privileged access management (PAM) controls
- Conducting regular penetration tests and internal audits of security posture
- Investing in cybersecurity transformation and strengthening the cybersecurity posture
## Conclusion
The ICO's fine serves as a warning to organizations that neglect their cybersecurity responsibilities. With 241 contracts worth £6 billion awarded to Capita since the incident, this case highlights the need for accountability in outsourcing agreements.