Capita has been fined £14 million by the Information Commissioner’s Office (ICO) for serious data protection breaches following a major cyberattack in March 2023 that compromised the personal data of 6.6 million people across the UK.
The attack, in which hackers broke into Capita’s systems and extracted almost a terabyte of sensitive data, affected customers, pension fund members and employees of one of the UK’s largest outsourcing companies.
In its report, the ICO described the incident as “a systemic failure to practice basic cyber hygiene” and concluded that the breach caused “significant distress and anxiety” to millions of people whose financial, employment and personal information was exposed.
According to the regulator, Capita discovered the breach within 10 minutes of the hackers gaining access but failed to isolate the infected device for 58 hours, a delay that allowed ransomware to spread and data exfiltration.
The sensitive data stolen included financial information, criminal records and “special category data” – information that reveals a person’s race, religion, sexual orientation and health status.
The ICO investigation found that Capita had known vulnerabilities in its systems, an understaffed security center and inadequate testing of its defenses. Despite processing data for millions of citizens under contracts with local councils, NHS bodies and private customers, it found that cybersecurity processes “fall well short of the expectations of a company of this size and role”.
The total penalty is £8 million for Capita plc and £6 million for Capita Pension Solutions, reflecting the wide range of stakeholders affected, including several large pension schemes.
An initial fine of £45 million was reduced after the company demonstrated improvements to its cybersecurity systems and worked with regulators including the National Cyber Security Center (NCSC).
John Edwards, the information commissioner, said: “This incident exposed the personal information of millions of people to potential misuse and caused significant distress and inconvenience. While we acknowledge Capita’s cooperation and subsequent remediation, the case highlights the consequences of failing to act quickly and decisively in the face of a known threat.”
Capita chief executive Adolfo Hernandez said the company had been targeted early in a spate of sophisticated cyberattacks against major British companies.
“As an organization that provides essential public and private services, Capita was among the first in the recent wave of extremely serious cyberattacks on UK businesses,” Hernandez said. “Since then, we have invested heavily in cyber resilience and security monitoring to protect our systems and our customers’ data.”
Capita provides outsourced services to local authorities, the NHS and private companies, making it an important part of the UK’s public infrastructure. The attack disrupted several contracts, including the administration of teacher pensions, prompting government agencies to review their exposure to third-party cyber risks.
Andy Ward, SVP International at Absolute Security, said the incident highlights the danger of delayed responses to cyberattacks.
“The Capita breach highlights the importance of detecting and remediating cyber incidents immediately – every hour of delay multiplies the potential damage,” he said.
“True resilience isn’t just about prevention or compliance; it’s about ensuring organizations can withstand and recover quickly from attacks while minimizing downtime and disruption.”
Ward added that almost half of UK CISOs (48%) now believe the country’s overall cyber resilience strategy is “inadequate” and is calling for greater investment in detection, mitigation and recovery capabilities.
The Capita breach remains one of the most significant cyber incidents to hit UK businesses since the WannaCry attack in 2017, which crippled NHS systems. The ICO’s findings highlight a broader pattern of cybersecurity weaknesses among large contractors processing sensitive public data.
While the regulator acknowledged Capita’s reforms following the incident, it said the fine should serve as a warning that delays in response and under-investment in security pose significant financial and reputational risks.
“Cyber resilience must be embedded at every level of the organization,” Ward said. “Leaders must assume that attacks are inevitable – and be ready to respond when they come.”
