Skip links

Capita says 2023 cyberattack costs a factor as it reports staggering £100M+ loss

Outsourcing giant Capita today reported a net loss of £106.6 million ($135.6 million) for calendar 2023, with the costly cyberattack by criminals making a hefty dent in its annual financials.

The total costs incurred due to the break-in, believed to be carried out by the Black Basta ransomware group in March last year, stand at £25.3 million ($32.2 million). The sum exceeds the initial estimates made in the immediate post-mortem of the incident (£15-20 million) but falls in line with the updated estimates published late last year (£20-25 million).

Capita’s £100+ loss immediately sent its market capitalization down by 20 percent this morning, a serious disappointment for shareholders.

Other contributing factors included business exits, a goodwill impairment charge, and expenses related to the company’s cost-reduction program.

As a result, newly minted Capita CEO Adolfo Hernandez announced further cost cuts for the coming year that aim to save the business an additional £100 million by mid-2025 ($127.2 million).

“Our 2023 financial results have demonstrated some progress. However, we have yet to deliver the operational excellence that will enable us to create the right platform for future growth or achieve our full potential for the benefit of shareholders,” he said.

“Looking forward, we will focus on precision in execution, co-creating solutions with clients and accelerating the use of technology, and leveraging our technology partnerships to drive improvement in our operating and financial performance.

Cutting £100M in costs as staff worry for jobs

“We need to deliver a rapid reduction in our cost base and are on track to deliver the net £60 million annualised cost savings, from Q1 2024 as announced in November. Today we are announcing further material efficiency improvements of £100 million to improve our competitive position.

“We have strong foundations and the opportunity for significant growth in the medium and longer term. I look forward to sharing more details on Capita’s future strategy in June.”

No details were mentioned about where these costs will be trimmed, but the easy assumption would be to look at further limiting headcount, as the business has already done in the past 12 months.

In November last year, Capita announced plans to cut around 900 jobs and didn’t rule out further redundancies at the time.

Capita focused much of its cost-cutting efforts last year on employee consultations and exiting property leases, permanently closing 19 sites and consolidating 14 more.

Despite the 2023 cyberattack impacting its pensions business, Capita continues to win lucrative government pension contracts, among other wins, which for the year reached a total value of £3 billion ($3.8 billion). 

In November last year, and on the same day it announced the near-four-figure job cuts, Capita alerted the London Stock Exchange that it won a ten-year contract worth £239 million ($304.1 million) to manage the Cabinet Office’s pension scheme, for example.

However, the impact of the attack on the business was significant. Capita’s customer net promoter score was down to +16 from +25 due to the impact on its pensions administration business, the attack on which affected “a number of clients.”

“While this is a ten-point reduction from 2022, it remains a creditable performance bearing in mind the impact of the cyber incident,” today’s report [PDF] read.

The attack also had a substantial influence on the cash generated from operations, which decreased from £98.4 million ($125.2 million) to £41.2 million ($52.4  million) – driven in part by the cash costs of the cyberattack.

The company continues to work with the Information Commissioner’s Office (ICO), from which it doesn’t expect a regulatory penalty, but is still fielding information requests from the data watchdog.

Capita’s cyberattack recap

It’s nearly been a year since the story of Capita’s incident hit the headlines, starting with an IT outage which shortly after was revealed to be caused by a cyberattack.

In the early days, it said there was no evidence to suggest that any customer, supplier, or colleague data was stolen – a statement which was adjusted in the following weeks after Black Basta claimed responsibility, plastering sensitive documents online.

What followed was criticism of the company for failing to communicate the gravity of its incident. Black Basta reportedly started selling off data such as bank records and other personally identifiable information (PII), before moving on to other confidential documents, floorplans, passports, and more.

Today’s update promised that Capita’s continual monitoring of the dark web has not revealed any new evidence that stolen data is circulating there specifically, or at least that its agents cannot find it. ®