The City of London Police has announced Capita will be one of the suppliers for a new fraud reporting service, which will replace the current Action Fraud set-up. The contract award comes despite Capita being under investigation by data regulator the Information Commissioner’s Office (ICO) over multiple data breaches affecting the public sector.

Image shows Capita logo on a web browser through magnifying glass.
Capita has been selected for the Action Fraud replacement, but will that pose to risk to City of London Police? (Photo by Postmodern Studio/Shutterstock)

Capita will work with PwC UK to provide the new fraud and cybercrime reporting service, according to a City of London Police announcement released earlier this week. This service is part of the Government’s Fraud Strategy and will replace Action Fraud. The Home Office has committed to spending more than £30m across three years on the replacement, alongside contributions from the City of London Corporation.

The announcement said that the new service had received “£152m of funding from the Home Office and the City of London Corporation” to support the build and run of the service for the next five years, double the original estimated value on the tender. The Capita contract is worth £50m, starting from 2024, for five years.

Capita will operate the contact centre on behalf of the police force and provide the technology to enable fraud reporting, which includes a new website and reporting tool. PwC UK will provide the crime and intelligence management tech used by the National Fraud Intelligence Bureau (NFIB) and support the City of London Police to integrate and manage the services.

The Action Fraud replacement will be operational in the second quarter of 2024, says City of London Police. The force acts as the National Lead Force in tackling fraud in the UK.

Security minister Tom Tugendhat said the announcement “demonstrates that we’re not wasting any time in delivering our new Fraud Strategy and replacing Action Fraud”. However, other MPs have accused the government of lacking urgency in tackling fraud, and in April parliament’s Public Accounts Committee was forced to demand the policy be made public after it was delayed for five months.

Capita selected to handle personal information after data breaches

Jon Lewis, CEO of Capita, said the contract win “is testament to our proven track record of delivering digitally-enabled customer management for citizens – including some of the most vulnerable people in society – and reflects our commitment to delivering an outstanding service to our public sector clients.”

However, there could be cause for concern over Capita’s appointment following its admission that it suffered a cyberattack in March 2023, which the outsourcer has said will set it back £20m.

As reported by Tech Monitor, Capita was a victim of an attack which affected the company’s access to Microsoft’s Office 365 productivity suite. It had previously denied that any data was stolen during the incident but later admitted that customer information had been compromised and stolen.

Capita is the largest contractor for the public sector, holding contracts worth £6.5bn for IT and other services. Global Data say that in 2022/2023 alone, the UK public sector spent at least £453m with the business. Capita itself says that 90.2% of its total revenue comes from the UK public and private sector contracts.

The cyberattack left Local Authorities and other organisations relating to critical national infrastructure resorting to using radios, pens and paper because of the attack, reported the Guardian. Local governments using Capita include Barnet, Barking and Dagenham, Lambeth and South Oxfordshire. The National Cyber Security Centre, Cabinet Office and other agencies in government were also alerted to the incident.

Following the admission of the attack, it was revealed that an AWS-hosted cloud storage bucket containing data from Capita clients had been available online since 2016, with no password protection. The trove of data contained approximately 3,000 files making up 655GB of data.

The ICO previously told Tech Monitor that it had received approximately 90 reports about the potential breaches relating to Capita and the unsecured database.

Is the decision based on trust or lack of money?

Tech Monitor contacted the City of London Police to ascertain whether there was concern about Capita’s adequacy in providing such a critical platform, which could handle sensitive data and personal information.

“We have every confidence that the suppliers that have been successful with their bids are taking their recent cybersecurity incidents seriously and that the risk of any breaches to City of London Police services is low,” said Chris Bell, service delivery director at City of London Police.

When asked why Capita had been chosen despite the ICO investigation, Bell said that the procurement process had been ongoing for over 20 months, which included inviting bids for the tender process, assessing the bids and appointing suppliers.

Angela McLaren, Commissioner of the City of London Police, also said that the procurement process was “rigorous.”

The appointment of Capita demonstrates how the public sector still relies on big tech consultancies. Rob Stoneman, service director for UK public sector at GlobalData, told Tech Monitor that he suspects that the announcement shows that “old habits are dying hard” when it comes to leaning heavily on large businesses like Capita.

He says the appointment of Capita might also be linked to costs already incurred during the procurement process: “The tender exercise has been ongoing since July 2021 so any recent cyber issues will have come too late to make much difference,” Stoneman says.

“It’s likely too much time and money has already been spent on the procurement even to contemplate trying to get out of it and go to market again. It also depends on the contractual terms and conditions and when the contract was signed.”

Read more: Why UK police are being overwhelmed by cybercrime