Capita fined £14 million after 2023 breach

Capita has been fined a combined £14 million after the Information Commissioner’s Office found serious security failings linked to a 2023 cyber incident that exposed data belonging to millions of people. The decision, issued on 15 October 2025, split the penalty between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million). It followed an investigation that concluded the company had failed to implement appropriate technical and organisational measures under the UK General Data Protection Regulation.

The breach originated in March 2023 when attackers gained access through an unpatched system and moved laterally across the network. Regulators said personal and special category data was exfiltrated, affecting over six million individuals across pension schemes and other Capita-administered services. Although detection systems issued early alerts, the compromised device remained active for 58 hours before being quarantined, allowing the attacker to harvest data before deploying ransomware.

The ICO’s penalty notice detailed multiple weaknesses, including privileged access controls, alert handling, and monitoring processes that did not prevent lateral movement. It highlighted inadequate staffing levels within the security operations centre, where at times only one analyst was on duty, and a pattern of missed service levels for critical alerts. These operational weaknesses were judged to have materially increased the scale of data loss.

Capita cooperated fully with the investigation and implemented a range of improvements, leading to a reduction in the initial proposed fine from £45 million. The company stated that it regretted the incident and had since invested in new leadership, enhanced controls, and improved oversight across its cyber operations. While the ICO acknowledged these steps, it emphasised that the failures predated those reforms and reflected long-term underinvestment in basic controls.

The case has implications far beyond a single outsourcer. It establishes clearer expectations for how large data processors must manage detection, containment, and privileged access. For Chief Information Officers, the lesson is not abstract. Detection alone is not protection. Containment time must be designed, measured, and rehearsed. A 58-hour dwell window illustrates how a manageable intrusion can escalate into a major compliance and reputational crisis.

The ruling also reinforces that privileged access and identity governance remain at the centre of cyber resilience. Weak segmentation and static administrator rights create environments where one compromised account can compromise everything. CIOs should revisit tiered administrative models, enforce just-in-time access, and monitor privilege escalation through Security Information and Event Management (SIEM) tooling and identity analytics. Regulators no longer accept “trusted admin” models as sufficient protection.

Operational capacity in the security operations centre is now a governance issue, not a technical one. Board-level oversight should include metrics on alert volumes, response times, and out-of-hours coverage. When internal resources are limited, managed detection and response contracts must define measurable service levels that ensure coverage across shifts. Under-resourcing a SOC is now interpreted as a failure of control.

The fine also underscores the limitations of traditional supplier assurance. Many organisations rely on external providers for payroll, pensions, and customer services, assuming their data is safe by default. The ICO’s findings confirm that accountability remains with the data controller, regardless of delegation. CIOs should review supplier contracts to ensure they include containment service levels, evidence of incident response testing, and documented segregation of client data. Due diligence should move beyond certificates and questionnaires to demonstrable proof of resilience.

For boards and audit committees, this ruling changes the questions they should ask. How long does it take to isolate a live compromise across identity and endpoint systems? How concentrated is privileged access, and what are the fallback plans if it is abused? How often are suppliers tested under real conditions rather than tabletop exercises? These are now governance questions, not operational details.

The Capita case is among the most significant UK data protection fines in recent years and the largest related to ransomware. It demonstrates that regulators will pursue penalties not just for data loss, but for slow response, thin staffing, and untested assumptions. For CIOs, the practical takeaway is direct: treat containment speed, privileged access management, and supplier control as board-level risks, not operational metrics. Cyber resilience is no longer measured by whether alerts are raised. It is calculated by how fast they are acted upon and how much data stays untouched.

Speak to an expert on ransomware.