Capita fined £14 million - another wake up call to take data security seriously

Introduction

The ICO’s largest fine in recent months was a combined £14 million against Capita PLC (£8 million) and Capita Pensions Solutions Limited (£6 million) in October last year. It is another wake up call to take data security seriously.

The breaches affected over 6.5 million data subjects, 3973 of whom joined a multi-party action in the High Court claiming compensation. Although compensation for data breaches is usually low, the total outlay for this number of claimants is likely to run into millions.

There were more than 93 complaints to the ICO.

ICO press release

The ICO’s press release contains the following description of what happened:-

The attack began when a malicious file was unintentionally downloaded onto an employee device on 22 March 2023. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems.

This file enabled the deployment of malicious software onto the Capita network, allowing the hacker to stay in the system, gain administrator permissions and access other areas of the network. Between 29 and 30 March 2023, nearly one terabyte of data was exfiltrated. On 31 March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network.

Security breaches

The ICO decided there had been an absence of effective security measures between May 2018 and March 2023. Penetration tests before the attack had revealed vulnerabilities that had not been acted upon. There had also been a failure to respond effectively to security alerts between September 2022 and March 2023.

Identity theft goldmine

The personal information was processed for the provision of Capita’s business services, including pensions administration, human capital resourcing and document management solutions. The following categories of information, an identity theft goldmine for hackers, were extracted:

• Contact information

• ID information

• Account information

• Date of birth information

• Financial information,

• Special category data

• Criminal record information

• Child data

Reducing risks and fines proactively

As a result of this case there are several areas where the ICO advises organisations should be taking proactive steps to reduce security risk, including:-

• Ensuring that the principle of ‘least privilege’ is applied across the organisation;

• Regularly monitoring for suspicious activity and responding to warnings and alerts promptly;

• Sharing the results of penetration testing across the whole organisation;

The fine was reduced from £25 million for Capita PLC and from £20 million for Capita Pensions Solutions Limited, after written representations from Capita described their various responses in mitigation. They included improvements to security after the attack, support offered to affected individuals and engagement with regulators and the National Cyber Security Centre.

The enforcement notice makes clear that no organisation is so big that it can afford to be lax with data security or assume that it is well in hand.

Questions to consider

Is your data security policy up to date?

Is it implemented uniformly across the organisation?

Do you know what to do when there is a security breach, whether actual or suspected?

Mariel Irvine

9 February 2026