Capita has been fined £14 million by the Information Commissioner’s Office (ICO) for serious data protection failures following a major cyber-attack in March 2023 that compromised the personal details of 6.6 million people across the UK.
The attack, which saw hackers infiltrate Capita’s systems and extract nearly one terabyte of sensitive data, affected customers, pension scheme members, and staff of one of Britain’s largest outsourcing firms.
In its report, the ICO described the incident as “a systemic failure to apply basic cyber hygiene”, concluding that the breach caused “significant distress and anxiety” for millions of people whose financial, employment, and personal data was exposed.
According to the regulator, Capita detected the breach within 10 minutes of the hackers gaining access but failed to isolate the infected device for 58 hours, a delay that allowed ransomware to spread and data to be exfiltrated.
Sensitive material stolen included financial data, criminal record checks, and “special category data” — information revealing an individual’s race, religion, sexual orientation, and health status.
The ICO investigation found that Capita had known vulnerabilities in its systems, an understaffed security operations centre, and inadequate testing of its defences. Despite handling data for millions of citizens through contracts with local councils, NHS bodies, and private clients, its cybersecurity processes were found to fall “well below expectations for a company of its size and role”.
The total penalty comprises £8 million for Capita plc and £6 million for Capita Pension Solutions, reflecting the wide range of affected stakeholders, including several large pension schemes.
An initial fine of £45 million was reduced after the company demonstrated improvements to its cybersecurity systems and cooperated with regulators, including the National Cyber Security Centre (NCSC).
John Edwards, the Information Commissioner, said: “This incident exposed the personal information of millions of people to potential misuse and caused substantial anxiety and inconvenience. While we recognise Capita’s cooperation and subsequent remediation, the case highlights the consequences of failing to act swiftly and decisively in the face of a known threat.”
Capita’s chief executive, Adolfo Hernandez, said the company had been targeted early in what became a spate of sophisticated cyber-attacks against large UK firms.
“As an organisation delivering essential public and private services, Capita was among the first in the recent wave of highly significant cyber-attacks on UK companies,” Hernandez said. “We have since invested heavily in cyber resilience and security monitoring to protect our systems and our clients’ data.”
Capita provides outsourced services for local authorities, the NHS, and private businesses — making it a key part of the UK’s public service infrastructure. The attack disrupted multiple contracts, including teachers’ pensions administration, prompting government departments to conduct reviews of their exposure to third-party cyber risks.
Andy Ward, SVP International at Absolute Security, said the incident illustrated the danger of delayed responses to cyber intrusions.
“The Capita breach highlights the critical importance of identifying and remediating cyber incidents immediately — every hour of delay multiplies the potential damage,” he said.
“True resilience isn’t just about prevention or compliance; it’s about ensuring organisations can withstand and rapidly recover from attacks while minimising downtime and disruption.”
Ward added that nearly half of UK CISOs (48%) now believe the country’s overall cyber resilience strategy is “insufficient”, calling for greater investment in detection, containment, and recovery capabilities.
The Capita breach remains one of the most significant UK corporate cyber incidents since the 2017 WannaCry attack that crippled NHS systems. The ICO’s findings underscore a broader pattern of cybersecurity weaknesses among large contractors handling sensitive public data.
While the regulator acknowledged Capita’s post-incident reforms, it said the fine should serve as a warning that delays in response and underinvestment in security carry substantial financial and reputational risks.
“Cyber resilience must be embedded across every layer of the business,” Ward said. “Leaders must assume attacks are inevitable — and be ready to respond when they come.”
