UK ICO Imposes £14 Million Penalty on Capita Following Data Breach

On October 15, 2025, the UK Information Commissioner’s Office (ICO) announced a significant fine of £14 million against Capita due to severe lapses in data security following a major data breach. The penalty is divided between Capita plc, which faces a £8 million fine, and Capita Pension Solutions Limited, which is fined £6 million. This action underscores the serious implications of inadequate cybersecurity measures in handling personal data.

The breach, which occurred in March 2023, resulted in unauthorized access to the personal data of approximately 6.6 million individuals. The compromised information included sensitive details such as pension records, employee information, and customer data from various organizations supported by Capita. For a subset of those affected, the breach also involved particularly sensitive personal information, including financial data, criminal records, and special category data.

Details of the Cybersecurity Incident

The incident began when a malicious file was inadvertently downloaded onto an employee’s device on March 22, 2023. Despite a high-priority security alert being triggered within 10 minutes of the download, the affected device remained unquarantined for an alarming 58 hours. This delay significantly exceeded Capita’s targeted response time of one hour, allowing the cyber attacker to exploit the company’s systems, gain administrator privileges, and access extensive parts of the network. Ultimately, the attacker exfiltrated nearly one terabyte of data before deploying ransomware that locked Capita personnel out of their own systems.

An investigation by the ICO revealed multiple areas of concern regarding Capita’s security protocols. One major issue was the lack of a tiered approach to administrative accounts, which enabled the attacker to move laterally across different systems and domains. This vulnerability had previously been identified but had not been adequately addressed. Additionally, the delayed incident response was attributed to understaffing within Capita’s Security Operations Centre, which hindered timely action against the threat.

Regulatory Response and Future Implications

The ICO’s initial proposal for a fine was £45 million, reflecting the gravity of the breach. However, after Capita presented mitigating factors—including improvements made to their security measures following the incident, support for affected individuals through 12 months of credit monitoring, and cooperation with regulatory authorities—the fine was reduced to £14 million. Capita has accepted responsibility and agreed to pay the penalty without pursuing an appeal.

The incident serves as a stark reminder of the critical importance of robust cybersecurity measures, especially for organizations that manage vast amounts of sensitive personal data. The ICO’s actions not only highlight Capita’s failures but also emphasize the broader responsibility organizations have in protecting the personal data of their clients and employees. As cybersecurity threats continue to evolve, companies must prioritize investments in security protocols to safeguard against potential breaches.