Yazılar

UK’s Capita fined £14 million over 2023 cyber breach affecting 6.7 million people

/in /tarafından

Capita has been fined £14 million ($18.7 million) by the UK Information Commissioner’s Office (ICO) for failing to protect personal data during a 2023 cyberattack that compromised information belonging to 6.7 million individuals, the outsourcing firm said on Wednesday.

The company, which provides services to UK government departments and major corporations, said the fine was part of a settlement with the ICO. Capita had previously estimated that the breach could cost up to £20 million in financial damages.

The ICO report found that Capita failed to maintain adequate network protections, allowing unauthorized access and privilege escalation, and did not respond properly to early security alerts. The regulator said the case underscored the growing pressure on British companies to strengthen cyber defenses following major breaches at Marks & Spencer, Co-op, and Jaguar Land Rover.

“With so many cyber attacks in the headlines, our message is clear: every organization, no matter how large, must take proactive steps to keep people’s data secure,” said John Edwards, the UK’s Information Commissioner.

Capita said it has since introduced advanced cybersecurity measures and completed an internal overhaul of its digital infrastructure. “Following an extended period of dialogue with the ICO, we are pleased to have concluded this matter,” said CEO Adolfo Hernandez.

The firm expects a free cash outflow of £59 million–£79 million in 2025, up from previous guidance of £45 million–£65 million, but noted that all other financial targets remain unchanged.

According to the National Cyber Security Centre (NCSC), the number of “highly significant” cyber incidents in Britain has doubled year-on-year, reflecting growing systemic risks across the public and private sectors.

M&S Urges Mandatory Reporting of Major Cyberattacks by UK Firms

/in /tarafından

Marks & Spencer (M&S) chairman Archie Norman has called for new legislation requiring large UK companies to report material cyberattacks to national authorities. Speaking before Parliament’s Business and Trade Committee on Tuesday, Norman said the current voluntary system leads to significant underreporting of serious breaches.

Citing the April 17 cyberattack that forced M&S to suspend its online operations for 46 days, Norman said the company had since learned of two major cyberattacks on large British firms within the past four months that were never reported to the National Cyber Security Centre (NCSC).

“We believe there’s a big deficit in knowledge,” Norman said. “So I don’t think it would be regulatory overkill to require companies of a certain size to report material cyber incidents to the NCSC within a fixed timeframe.”

While Norman declined to say whether M&S paid a ransom, he noted that the matter was “fully shared” with the National Crime Agency and other authorities. He also revealed that the attack likely involved multiple parties, including the ransomware group DragonForce, believed to be operating from Asia. Media reports have linked the Scattered Spider hacking collective to the breach.

Describing the cyberattack’s mechanics, Norman said it began with a “social engineering” operation. M&S reportedly had no contact from the threat actors for about a week following the breach. The attack is expected to result in an estimated £300 million ($409 million) in lost operating profit.

Norman added that M&S had been “fortunate” to have doubled its cyber insurance coverage last year, though the company expects the claims process to take up to 18 months. The online clothing store reopened on June 10, but click-and-collect services remain offline.

Nick Folland, General Counsel at M&S, told lawmakers that a key takeaway for other businesses was to maintain the ability to operate offline using pen and paper: “That’s what you need to be able to do for a period of time whilst all of your systems are down.”

CEO Stuart Machin previously said that the company expected to be past the worst of the incident’s impact by August.

Norman’s remarks underline the growing push for stronger cybersecurity regulation in the UK, amid rising concerns about corporate transparency and resilience in the face of increasingly sophisticated cyber threats.

UK Warns of Increased Cyber Threats as AI Adoption Rises, New Security Strategy on the Way

/in /tarafından

Britain is set to face a rise in both the frequency and severity of cyberattacks as artificial intelligence becomes more widespread, warned Cabinet Office Minister Pat McFadden during the CyberUK 2025 conference on Wednesday. He revealed that a newly declassified intelligence assessment indicates AI will significantly enhance cyberattack capabilities, posing an urgent threat to national infrastructure and the private sector.

Cyber security isn’t a luxury, it’s an absolute necessity,” McFadden said, urging coordinated action across government, business, and public institutions.

The warning comes in the wake of a string of recent cyberattacks on prominent British retailers including Marks & Spencer, the Co-op Group, and Harrods. M&S remains unable to process online clothing orders, underlining the long-lasting disruption such attacks can cause.

Key Points:

  • In 2024, the National Cyber Security Centre (NCSC) received nearly 2,000 attack reports, with 12 classified at the highest level of severitytriple the number from the year before.

  • McFadden announced that the government will release a new UK Cyber Security Strategy later this year.

  • A forthcoming Cyber Security and Resilience Bill will empower the government to compel regulated organisations to strengthen their cyber defences.

  • The recent retailer incidents are widely believed to involve ransomware, a form of attack where systems are encrypted and a payment is demanded for restoration.

NCSC CEO Richard Horne emphasized the need to dismantle the ransomware business model, calling for a future in which paying cyber ransoms is no longer an acceptable response.

As AI continues to accelerate the sophistication and automation of cyber threats, the UK government is positioning cybersecurity not just as a technological challenge but as a core pillar of national resilience.