UK Outsourcing Firm Fined £14 Million, Setting Standards for Multi-National GCs

The UK Information Commissioner’s Office (ICO) imposed a £14 million fine on British outsourcing firm Capita following a ransomware attack in March 2023 that compromised personal data from 6.6 million individuals across 325 pension schemes.

Rohan Massey of Ropes & Gray writes that the decision signals reinforced regulatory expectations for multinationals. They will be scrutinized for timely incident response and required to maintain robust cybersecurity practices in their roles as data controllers and processors.

The Capita breach was possible because of deficiencies in preventing privilege escalation and lateral movement across the firm’s digital infrastructure.

Security gaps included the absence of Privileged Access Management (PAM), Active Directory tiering, and inadequate monitoring of high-risk accounts, allowing attackers to pivot across multiple domains.

Additionally, the security operations center failed to respond promptly to alerts, with high-priority incidents taking far longer to contain than Capita’s own service agreements specify.

Prior penetration tests had identified these weaknesses; however, remediation and the dissemination of enterprise-wide guidance were not executed.

The ICO fined separate entities, Capita PLC as the controller, and Capita Pension Solutions as the processor, emphasizing that processors must independently meet GDPR security obligations, even within a shared control environment.

The decision took into account the realities of group governance, proportionality, admissions, and financial position when calculating the fine. Notably, the ruling emphasized that being a victim of a sophisticated attack does not excuse failing to implement foundational security measures or responding in a timely manner.

The ruling serves as a roadmap for multi-national GCs to ensure comprehensive governance over complex IT estates. Organizations should prioritize Active Directory tiering, PAM, least privilege, and oversight of service accounts.

They should optimize security operations center operations with automation and escalation protocols; integrate risk management findings across all units; and verify that both controllers and processors can evidence compliance with Article 32, even within shared infrastructures.

These steps define the operational baseline expected by UK regulators in managing large-scale personal data.