Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Guardian - UK
The Guardian - UK
Business
Rob Davies

Capita boss quits as potential fine looms for huge hack of confidential data

The Capita headquarters in the Copyright building, Berners Street, central London.
The Capita headquarters in the Copyright building, Berners Street, central London. Photograph: Robert Evans/Alamy

The chief executive of outsourcing firm Capita is to step down as the company reels from a cyber-attack that could result in a hefty fine from the UK’s information and privacy regulator.

Capita said Jon Lewis would step down by the end of the year, making way for Adolfo Hernandez, the vice-president of telecommunications at Amazon Web Services.

The handover was announced with Capita still recovering from the impact of an attack by the Black Basta ransomware group, which hacked the company’s Office 365 software and accessed the personal data of staff working for the company and dozens of clients.

Capita said Lewis was not paying the price for Capita’s vulnerability to the cyber-attack that began in March but had instead delayed his retirement to lead its response to the crisis.

The Information Commissioner’s Office (ICO) has the power to levy penalties on companies that fail to keep people’s private data safe and has issued significant fines in the past. In 2020 it fined British Airways £183m before reducing the penalty to £20m, citing mitigating factors such as the company’s parlous financial position amid the pandemic.

About 90 organisations have said that their data was breached in the attack on Capita, which runs crucial services including pension schemes for local councils, the military and the NHS.

Capita’s customers include the London boroughs of Barnet, and Barking and Dagenham, and South Oxfordshire council. After the attack in March, their websites displayed messages saying that phone lines for their benefits, council tax and business rates call centres were down.

Capita, which also handles the licence fee for the BBC, has said it expected the incident to cost it between £15m and £20m, covering specialist professional fees, recovery and remediation costs, as well as investment to reinforce its cybersecurity defences and strengthen its IT security.

The estimated sum is not thought to take into account a potential fine from the ICO. Capita has also not disclosed whether it paid a ransom to the hackers, who typically seek to extort money from companies from which they have stolen data.

Capita said Lewis had informed the board that he was considering retirement last year, after trying to revive the business since his appointment in 2017.

The company’s chairman, David Lowden, said he wanted “to pay particular tribute to [Lewis’s] leadership in recent months, during which he decided to delay his possible retirement from Capita due to the cyber incident we experienced in March”.

Capita is due to announce its half-year results on Friday and said that trading for the first six months of the year had been in line with company expectations, despite the impact of the cyber-attack.

• This article was amended on 1 August 2023 to remove text stating that local authorities in South Oxfordshire, Barnet, and Barking and Dagenham were “victims of the hack”, though some services were affected.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.