Capita Fined £14m Over 2023 Cyber-Attack Failures
UK regulator penalises Capita £14m for cybersecurity lapses tied to a major 2023 data breach affecting public sector clients.
Capita has been fined £14 million by the UK's data watchdog for serious failings in its handling of personal data during a major cyber-attack in March 2023.
The breach exposed sensitive information belonging to 6.6 million people, prompting widespread concern and regulatory scrutiny.
ICO Issues £14m Penalty Over Data Protection Breach
The Information Commissioner's Office (ICO) confirmed on 15 October 2025 that Capita plc and its subsidiary Capita Pension Solutions Limited were jointly fined for failing to ensure the security of personal data.
The ICO stated that Capita's systems were vulnerable and inadequately protected, allowing hackers to steal nearly one terabyte of data during the attack.
'Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,' the ICO said in its official statement.
Originally, the ICO had proposed a fine of £45 million, but this was reduced following Capita's cooperation, remedial actions, and engagement with the National Cyber Security Centre (NCSC).
What Happened During the 2023 Cyber-Attack?
The breach occurred on 22 March 2023 when a Capita employee inadvertently downloaded malware linked to the Black Basta ransomware group.
Although a high-priority alert was raised within 10 minutes, the infected device was not quarantined for 58 hours, allowing the attackers to escalate privileges and move laterally across Capita's network.
The attack resulted in the theft of personal data, including:
- Pension records
- Staff employment details
- Customer information from organisations supported by Capita
- Sensitive categories such as criminal records, financial data, and special category data (including race, religion, and sexual orientation)
Hackers exfiltrated nearly one terabyte of sensitive data and triggered a mass password reset, effectively locking Capita staff out of internal systems.
Impact on Individuals and Organisations
The breach affected a wide range of public and private sector clients, including local authorities, pension schemes, and government departments.
The ICO noted that the exposure of such sensitive data caused 'anxiety and stress' among affected individuals.
Capita has since offered support to those impacted and implemented additional security measures.
However, critics argue that the breach was preventable and indicative of systemic weaknesses in the company's cybersecurity protocols.
Capita's Response and Regulatory Engagement
Capita has accepted the fine and confirmed it will not appeal the decision. In a statement, the company said it had worked closely with regulators and taken steps to strengthen its data protection framework.
'We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack,' a Capita spokesperson said.
The ICO acknowledged Capita's post-breach cooperation and improvements, which contributed to the reduced penalty.
Wider Implications for UK Cybersecurity
The Capita case has reignited debate over cybersecurity standards in outsourced public services. Experts warn that large contractors handling sensitive data must be held to higher accountability thresholds.
The ICO's decision sends a clear message to other firms: failure to protect personal data can result in substantial financial and reputational damage.
© Copyright IBTimes 2025. All rights reserved.
- MOST POPULAR IN CyberSecurity
