Capita cyber-attack impacts around 90 organisations


Capita has stated that the widely reported cyber-attack it suffered in March 2023 could cost the outsourcing and professional services company up to £20 million once specialist professional fees, recovery and remediation costs, and investment in strengthened IT systems is accounted for.

The attack reportedly impacted certain personal data relating to customers, suppliers and staff. The incident was alerted to Capita by its IT monitoring capabilities, from which it then took immediate steps to isolate and contain the issue using its technical crisis management protocol. Capita has stated that less than 0.1% of its servers suffered data loss or unauthorised access, but nevertheless the repercussions of the attack have been widely felt. The Information Commissioner's Office ("ICO") stated in late May that around 90 organisations had reported breaches connected to Capita, including a large number of pension schemes such as the Universities Superannuation Scheme (USS) pension fund, the UK's main pension fund for universities, which has reportedly written to all its 500,000 members. Capita’s systems are used to administer pensions for around 450 organisations, covering millions of policyholders, and as a result of the issue the Pensions Regulator has put out specific on the Capita incident.

Regulator Response

The Financial Conduct Authority ("FCA") has asked Capita's clients (including large insurers and pension funds) to check if their data had been affected while the ICO issued a statement on 25 May  encouraging organisations to check if their data had been affected and to report any personal data breaches to it. This was the approach taken by the NHS, which reported Capita to the ICO after it was revealed that an NHS document containing ‘limited optometry information’ for two patients had been impacted by the incident as well as two archived files containing names and NHS numbers in respect of patients who had died more than 10 years ago or had not been registered with a GP in England for more than 10 years.

Concluding thoughts

The incident, like the recent incident impacting the “MoveIt” software, highlights the wide impact of incidents which affect supply chains and managed service providers. In many cases, the contracts governing outsourced or managed service providers’ provision of services and handling of personal data on behalf of clients will specify that the service provider is a data processor. Such data, as we see in this case, could cover multitudes of individuals such as employees, former employees, customers and other persons connected to the client. The client is then responsible as data controller for regulatory notifications and other obligations, as well as potentially being faced with claims from data subjects. This gives rise to a clear litigation risk to the service provider suffering the incident, as clients may look to the service provider to pay out on any losses as well as potentially be liable directly to data subjects and other parties. Whether this will be the case for Capita remains to be seen; it is not clear whether the £20 million loss figure includes potential costs associated with disputes with clients, data subjects, or indeed any further regulatory action.

Given that the risk of cyber-attacks is on the increase and unlikely to abate in the near future, organisations whether on the customer or vendor side of supply chain arrangements, need to be careful to ensure that due diligence, risk assessments, and appropriate terms and conditions are in place which properly allocate risk and responsibility and mitigate, as far as possible, supply chain risk. Regulators will expect all organisations in the supply chain to have properly considered the risk in respect of their third party supply chains and manage it as far as possible though a mixture of technical, organisational and legal measures.