Another Day, Another Fine
- Katarzyna Celińska
- Nov 6
- 2 min read
The Information Commissioner's Office has fined Capita plc £14 million for failing to implement appropriate cybersecurity controls — leading to a major 2023 data breach that exposed the personaldata of 6.6 million individuals. This breach affected data from over 600 pension schemes and 325 organizations, including sensitive details like criminal records, financial data, and special category information.
The incident began when an employee accidentally downloaded a malicious file. Although a high-priority alert was triggered within 10 minutes, Capita failed to quarantine the device for 58 hours, giving attackers time to:
➡️ Deploy malware and gain administrator privileges
➡️ Move laterally across networks
➡️ Access and exfiltrate nearly one terabyte of data
➡️ Deploy ransomware
Slow response time became a critical factor in the ICO ’s decision to penalize Capita.
Photo: https://pl.freepik.com/
Findings
Failure to Prevent Privilege Escalation and Lateral Movement
➡️ No tiered model for administrative accounts.
➡️ Attackers could escalate privileges and move across multiple domains.
➡️ This vulnerability had been flagged at least three times before — but not fixed.
Failure to Respond
➡️ Security alert raised within 10 minutes;
➡️ Capita took 58 hours to isolate the device — versus a target response time of 1 hour;
➡️ SOC was understaffed and missed alert-response targets for months.
Inadequate Penetration Testing and Risk Assessment
➡️ Critical systems processing millions of records were tested only at commissioning — with no follow-up.
➡️ Findings from tests were siloed.
➡️ Network-wide risks were ignored and not addressed collectively.
Recommendations
➡️ Implement tiered administrative models and apply the principle of least privilege.
➡️ Ensure timely monitoring and alert response.
➡️ Conduct regular penetration testing and share results.
➡️ Invest in core security controls, including network segmentation, EDR, and log monitoring.
It's another reminder that policies on paper don’t stop cyberattacks. This case perfectly demonstrates what happens when cybersecurity monitoring and incident response aren’t implemented properly. It’s easy to write policies, create procedures, and file compliance paperwork, but a “binder of policies” has never stopped a hacker. It should be evident that the lack of real-time monitoring, slow incident response, and neglected vulnerability management can lead to incidents.
As I often say, "You can’t defend your organization with a folder of policies.”
Author: Sebastian Burgemejster
