A data breach in 2023 by Capita plc and Capita Pension Solutions Limited, affecting 6.6 million individuals, has led to fines of £14m across both companies by the Information Commissioner's Office (ICO) in October 2025.
The ICO stated that Capita "failed in its duty" to protect the personal data entrusted to it, and that no organisation "is too big to ignore its responsibilities".
The breach
In March 2023, Capita PLC and its subsidiary Capita Pension Solutions Limited (CPSL) suffered a significant cyberattack that led to personal data relating to approximately 6.6 million individuals being stolen. The breach occurred after a malicious file was downloaded onto a Capita employee’s device, allowing the attacker to infiltrate Capita’s network and stay on the system. Although a high security alert was triggered within 10 minutes of the breach, Capita failed to respond appropriately and shut down the device for another 58 hours, allowing the attacker unrestricted access. Ransomware was later deployed onto the system where the hacker was able to reset all user passwords, which led to Capita employees being unable to access the network.
The compromised personal data included a wide range of sensitive information such as names, addresses, dates of birth, National Insurance numbers, bank details, passport scans and biometric data. Special category data was also stolen including health records, racial and ethnic origin, political and religious beliefs, trade union membership, criminal record checks and sexual orientation.
Given the extent and sensitivity of the data stolen, a number of complaints were received by the ICO from those affected by the incident. Capita is also subject to a multi-party claim in the High Court, involving nearly 4,000 claimants who claim to have been impacted.
Capita's response to the incident
Capita undertook a series of remedial actions after the incident occurred. These included:
- Restricting access of administrator accounts and controlling movement across the systems;
- Deploying a more robust asset management system integrated to improve protections; and
- Doubling the number of analysts in the Security Operations Centre (SOC).
Despite these efforts, the ICO found that Capita’s response was insufficient to mitigate the scale of the breach. It identified a number of systemic failures, including:
- A failure to implement appropriate technical and organisational measures to prevent unauthorised lateral movement and privilege escalation within its network;
- A failure to respond promptly to high-risk security alerts, with a critical alert left unaddressed for over 58 hours, allowing the threat actor to gain privileged access and extract data;
- Negligent oversight of penetration testing results, which had flagged high-risk vulnerabilities months before the incident but were not remediated across the network; and
- Inadequate resourcing and alert handling, with Capita consistently failing to meet its own staffing targets for responding to high-priority alerts.
Capita accepted the findings and entered into a voluntary settlement with the ICO, agreeing not to appeal the decision. The final penalties were reduced from an initial figure of £58 million to £14 million, with £8 million being payable by Capita PLC and £6 million by CPSL. The Information Commissioner, John Edwards, stated that "the scale of this breach and its impact could have been prevented had sufficient security measures been in place".
Key Takeaways from the decision
The ICO highlighted several important lessons for organisations handling personal data:
- Security measures must be proportionate to the sensitivity and volume of data being processed. Organisations should not rely solely on basic controls but must implement advanced protections where that is in line with the risk profile of the data.
- Timely and regular responses to security alerts are critical. Delays in addressing alerts can allow attackers to escalate privileges and exfiltrate data.
- Penetration testing should be comprehensive and findings must be disseminated across the organisation. Risks identified in one part of a business must be addressed group-wide.
- Post-incident mitigation is important but does not absolve prior failures. While Capita took steps to improve its security posture after the breach, the ICO emphasised that preventative measures must be in place before incidents occur. The extent of the fine exemplifies that the ICO will not treat 'reactive' mitigation gently.
For more information or to discuss your cyber and fraud prevention needs please contact our specialist cyber team.
