Regular monitoring and updating of the Technical and Organizational Measures

  • Author: Arno Schlösser, DP-Dock GmbH
  • Last updated: November 2025
  • Category: Enforcement, Data Security

The UK Information Commissioner's Office (ICO) has fined the service provider Capita £14 million. The reason: inadequate security measures, which led to a massive hacker attack in March 2023. Sensitive pension records, personnel files, and customer data from hundreds of organizations were stolen. According to the authority, Capita, a major provider of outsourcing and IT services, had not taken sufficient Technical and Organizational Measures. The cyberattack was triggered by an employee accidentally downloading a malicious file. Although a security alert was quickly received, it took 58 hours for the affected device to be isolated – enough time for the attackers to install malware, gain administrator rights, and steal almost a terabyte of data.

The investigation revealed several fundamental shortcomings in security measures and organizational controls: There was no tiered authorization model for administrator accounts. Warnings were not dealt with promptly because the Security Operations Center was understaffed, and penetration tests were not carried out regularly or evaluated company-wide.

This decision underscores the importance of adequate TOMs and an emergency plan for IT security incidents.

Should you have any questions or require further information, please do not hesitate to contact us any time.

Cybersecurity concept, hacker accessing personal data, network security, data protection, digital crime, dark web, internet privacy, cyber attack, artificial intelligence, online fraud.
© khunkornStudio / stock.adobe.com | #1547998447

Back to the news overview

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group essential
Name Matomo
Technical name
Provider
Expire in days 72
Privacy policy
Use Use without cookies
Allowed
Group external media
Name Calendly
Technical name __cf_bm,__cfruid,OptanonConsent
Provider Calendly LLC
Expire in days 365
Privacy policy
Use To arrange appointments via the provider Calendly
Allowed
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name Contao HTTPS CSRF Token
Technical name csrf_https_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name PHP SESSION ID
Technical name PHPSESSID
Provider Contao
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed
Privacy Policy | Privacy Policy