Capita facing 14 million GBP fine Due to mishandling of personal data followed by a ransomware attack

On 15^th October 2025, the UK Information Commissioner’s Office (ICO) announced that Capita Plc and Capital Pension Solution Limited would pay a combined fine of 14 million GBP for a data breach in 2023 that exposed data belonging to 6.6 million UK residents and 325 client organisations (data controllers). This is the biggest fine imposed by the ICO till date.

ICO ruled that Capital had failed to implement ‘appropriate technical and organisational measures’ as required under the UK GDPR, leaving special category data vulnerable to cybercriminals.

For UK businesses, this incident is a sharp reminder that data protection is not simply a regulatory requirement – it’s a fundamental pillar of operational resilience, customer trust and business’ reputation.

Background of the data breach

The data breach began on 22^nd March 2023, when a Capital employee inadvertently downloaded a malicious file onto a company device. Within minutes, a security alert was triggered – yet it took 58 hours for Capita’s Information Security team to properly isolate the compromised device. This delay has been proved very expensive for Capita today.

Between 29^th and 30^th March 2023, attackers exploited the lapse to escalate privileges, move laterally across Capita’s systems, and exfiltrate nearly one terabyte of data. The stolen data included names, addresses, date of birth, pension details, employment records, and also, financial and criminal records.

On 31^st March, the attackers deployed ransomware attack, encrypting stuff out of core systems and forcing Capita into emergency response mode. Operations were disrupted, clinet’s services were affected, and sensitive data was scattered across dark web forums.

Where Capita Went Wrong

The ICO has highlighted systemic failings in Capital’s Cybersecurity Framework – ‘Organisational and Technical Controls’. Despite the fact that Capita was handling such a big volume of personal data and special categories of data, practices around handling the were far from adequate.

1. Failure to respond to security alerts: Capita’s information security monitoring system, alerted them within 10 minutes of the data breach, however, they did not pay attention and deploy any containment measures for longer than two days. This delay allowed attackers to explore the network unhindered and get hold of valuable personal data.

2. Weak Access Control Measures: The ICO’s investigation revealed that Capital did not operate a tiered administrative model for administrative accounts. Meaning that privileged/admin accounts were not properly segregated. This made it easier for attackers to gain elevated access once inside the system. 

3. Inefficient actions following Vulnerability Assessment and Penetration Testing: Capita conducted VAPT tests, and it informed them of potential vulnerability present on their systems, however, they did not address them in a timely manner. These were left unpatched across multiple domains, exposing a wide attack surface.

It was also observed by the ICO that Capita conduct VAPT couple of years ago, however, with the expansion of Capita’s infrastructure, they did not invest in periodic VAPT.

4. Insufficient Risk Management and Oversight: ICO found that overall risk management framework and senior management oversight was not robust enough to tackle a cybersecurity and data protection incident and concluded that Capita ‘did not take appropriate steps to prevent, detect and respond to a foreseeable cyberattack’, in line with UK GDPR Article 32.