Privacy & Information Security Law Blog

On October 15, 2025, the UK Information Commissioner’s Office (“ICO”) announced a £14 million fine against Capita for failing to ensure the security of personal data relating to a significant personal data breach. The fine was split between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million) (together, “Capita”).  

In March 2023, Capita experienced a cybersecurity incident that resulted in unauthorized access to the personal data of approximately 6.6 million individuals. The compromised information included pension records, employee details and customer data from various organizations supported by Capita. For some individuals, the breach involved particularly sensitive personal information, such as financial data, criminal records and special category data. Capita Pension Solutions Limited, which processes personal data for over 600 pension schemes, reported that 325 of its client organizations were affected by the breach.

The breach originated when a malicious file was inadvertently downloaded onto an employee’s device on March 22, 2023. Although a high-priority security alert was triggered within 10 minutes, the affected device was not quarantined for 58 hours, which far exceeded Capita’s target response time of one hour. During this period, the cyber attacker was able to exploit Capita’s systems, gain administrator privileges, access additional parts of the network, and exfiltrate nearly one terabyte of data. Ransomware was later deployed and Capita personnel were locked out of Capita systems.

The ICO’s investigation identified several areas where it deemed Capita’s technical and organizational measures to be insufficient:

• Privilege Escalation and Lateral Movement: Capita did not implement a tiered approach to administrative accounts, enabling the attacker to move across multiple domains and systems. This vulnerability had previously been identified but not addressed.

• Delayed Incident Response: Despite the rapid detection of a potential threat, Capita’s response was delayed by over two days. This was found to be largely due to understaffing in its Security Operations Centre.

• Penetration Testing and Risk Assessment: Systems responsible for processing large amounts of sensitive data were only tested upon being commissioned, with no follow-up assessments. Findings from these tests were not communicated across the wider organization, and risks identified that affected the wider Capita network were not addressed on a broader scale.

While the ICO initially proposed a fine of £45 million, this was reduced after Capita presented mitigating factors, including improvements made post-incident, support for affected individuals such as 12 months of credit monitoring, and cooperation with authorities. Capita accepted responsibility and agreed to pay the £14 million penalty without appeal.

Read the ICO press release.