Capita CEO quits, with fine for March hack on the horizon

Incident expected to cost Capita up to £20 million - before the fine

Jon Lewis, CEO at outsourcing giant Capita, will retire this year as the company awaits a decision from the ICO on a penalty for a cyberattack in March.

Lewis will step down by the end of the year, to be replaced by Adolfo Hernandez - currently VP of telecommunications at AWS.

Capita is currently waiting for a decision by the Information Commissioner's Office (ICO) on a penalty for the hack in March, which took down the company's IT systems and disrupted its services.

The hack, by the Black Basta ransomware group, affected Capita's service provision for multiple government departments and authorities. The company works with customers including the British Army, Royal Navy, the Ministry of Defence, the Ministry of Justice, the NHS, Transport for London, HMRC and the BBC.

About 90 organisations have reported data breaches relating to the incident.

The attack primarily affected the Office 365 suite - and, it became apparent last month, employees' personal data.

Capita has insisted that Lewis is not leaving as a consequence of the attack, but instead delayed his retirement - which he told the board he was considering last year - to deal with the fallout.

Capita expects the incident to cost it between £15 million and £20 million. That covers specialist professional fees, recovery and remediation costs, and investment to boost its cyber defences and IT security.

The figure is not thought to include any potential fine by the ICO.

The regulator has the power to enforce hefty fines for data breaches, especially where personal data is affected. It threatened British Airways and Marriott with penalties of £183 million and £99 million respectively in 2019, later reducing them to £20 million and £18.4 million.

Capita is due to announce its half-yearly results this week, which it says are in-line with expectations.