2023 Capita data breach

Last updated

The 2023 Capita data breach was a ransomware and data exfiltration incident affecting the British business process outsourcing and professional services provider and millions of people whose data it processed. In late March 2023 hackers gained access to Capita's systems, stole large volumes of client and staff information and then deployed ransomware, disrupting internal IT services and causing prolonged outages across parts of the business. [1] [2] [3]

Contents

Major clients, including the Universities Superannuation Scheme, later confirmed that personal data about hundreds of thousands of pension scheme members may have been compromised. [4] [5] By the end of May 2023, at least 90 organisations had notified the Information Commissioner's Office (ICO) of personal data breaches linked to the incident, [6] and Capita estimated that the attack would cost up to £25 million in recovery and remediation expenses. [7]

An investigation by the ICO concluded that personal data relating to around 6.6 million individuals, including special category data such as health and criminal record information, had been exfiltrated, prompting hundreds of complaints and a High Court multi-party claim on behalf of more than 5,000 people. [8] [9] In October 2025 the ICO fined Capita plc and Capita Pension Solutions Limited a combined £14 million for failures to implement appropriate security measures under the UK GDPR. [8] [10]

Background and security risks

The Capita Group is a business process outsourcing and professional services group. At the time of the incident, it employed tens of thousands of staff and acted as both data controller and data processor for hundreds of organisations that relied on its central IT infrastructure and security policies. [8]

Capita plc was responsible for group-wide data protection and information security policies and for operating the core systems on which many subsidiaries stored personal data, including pensions and other client records. The ICO found there was no evidence of internal audits of the security of the affected business units, despite group policies requiring such controls. [8]

A privileged service account used by Capita, 'CAPITA\backupadmin', had domain administrator rights and lacked restrictions and monitoring that would normally apply under a least-privilege model. Three penetration tests carried out between August 2022 and early 2023 had already identified this configuration as a vulnerability, but no corrective action was taken before the breach. [8]

Timeline

22 March 2023
07:52 - An attacker gains access to an employee phone using a malicious JavaScript script (jdmb.js) and then downloads the malware Qakbot and Cobalt Strike.
08:00 - An automatic alert was sent to Capita's security operations centre.
12:21 - Threat actor logs in with administrator access. [8]
23 March 2023
13:06 - Capita's security platform identifies that QakBot was recovering/decrypting credentials from the compromised device. [8]
24 March 2023
18:07 - Capita's security operations centre processes the automatic alert and quarantines the compromised device. [8]
24–28 March 2023
The attacker, who now had access to an administrator account as a result of the compromised device, uses tools like Cobalt Strike and BloodHound to move around the system. [8]
28 March 2023
Capita notices suspicious activity on three devices and takes all offline for containment. [8]
29 March 2023
09:22 - Capita invokes its internal "Major Incident Management" process.
17:26 - The attacker begins downloading files using a malware tool called SystemBC. Initially 827.25 MB of data was downloaded; this eventually reaches 1.76 GB on this channel. [8]
30 March 2023
The attacker used Rclone to download around 973 GB of data from multiple Capita systems. [8]
31 March 2023
The attacker deploys ransomware to over 1,000 hosts [10] and resets the passwords of all 59,359 accounts on the system. At 18:30 Capita reported the incident to the ICO. [8]

3 April 2023

Capita releases a statement saying, "On Friday 31st March, Capita plc experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications". [11]

Investigation and regulatory action

The incident led to widespread concern, with 93 formal complaints to the ICO, 678 complaints received directly by Capita, [8] and a High Court multi-party claim involving over 5,000 individuals. [12]

In October 2025, Capita plc and Capita Pension Solutions Limited were fined a combined £14 million for infringements of Articles 5(1)(f) and 32 of the UK GDPR. [8]

John Edwards, the UK Information Commissioner, was quoted as saying:

"Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place." [10]

Adolfo Hernandez, CEO at Capita, responded to the fine:

"[...] Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today's settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people, and wider society." [10]

Impact and cost

The breach had significant operational, financial, and reputational consequences for Capita and its clients. [13] Systems across multiple business units were disrupted for several weeks, and 59,000 accounts had password resets. Personal data relating to approximately 6.66 million individuals had been exfiltrated, including special category data such as health and criminal record information. [8] Capita's annual results for the 23-24 year attributed a cost of over £25 million to the incident, including the £14 million fine. [14]

References

  1. Prescott, Katie (21 April 2023). "Capita admits data breach after attack by Russian hackers". The Times.
  2. Makortoff, Kalyeena (2023-04-03). "Capita blames cyber-attack for outage as company races to restore IT systems". The Guardian. ISSN   0261-3077 . Retrieved 2025-11-13.
  3. Makortoff, Kalyeena (20 April 2023). "Capita admits customer data may have been breached during cyber-attack". The Guardian.
  4. Cumbo, Josephine (12 May 2023). "Leading pensions client warns data for 470,000 members at risk from Capita hack". Financial Times . Retrieved 13 May 2023.
  5. Davies, Rob (12 May 2023). "Capita cyber-attack: USS pension fund members' details may have been stolen". The Guardian . Retrieved 14 May 2023.
  6. "Capita hack: 90 organisations report data breaches to watchdog". BBC News. 29 May 2023. Retrieved 29 May 2023.
  7. Partridge, Joanna (2023-08-04). "Cyber-attack to cost outsourcing firm Capita up to £25m". The Guardian. ISSN   0261-3077 . Retrieved 2025-11-13.
  8. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Monetary Penalty Notice: Capita plc; Capita Pension Solutions Limited (Penalty notice). Information Commissioner's Office. 15 October 2025.
  9. "Thousands of pension holders to sue Capita over 'Russia-linked' hack". Barings Law. Retrieved 2025-11-15.
  10. 1 2 3 4 Jones, Connor (15 October 2025). "Capita fined £14M after 58-hour delay exposed 6.6M records". The Register. Situation Publishing. Retrieved 15 November 2025.
  11. Makortoff, Kalyeena (2023-04-03). "Capita blames cyber-attack for outage as company races to restore IT systems". The Guardian. ISSN   0261-3077 . Retrieved 2025-11-13.
  12. "Thousands of pension holders to sue Capita over 'Russia-linked' hack". Barings Law. Retrieved 2025-11-15.
  13. Partridge, Joanna (2023-08-04). "Cyber-attack to cost outsourcing firm Capita up to £25m". The Guardian. ISSN   0261-3077 . Retrieved 2025-11-13.
  14. "Capita says cyberattack contributed to annual loss of more than £106 million". therecord.media. Retrieved 2025-11-17.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.