Capita Hit with £14 Million ICO Fine Over Major Data Breach Impacting Millions
Outsourcing giant Capita has been handed a hefty £14 million fine by the Information Commissioner’s Office (ICO) after a cyber attack in 2023 exposed the personal data of more than 6.6 million people across the UK.
The watchdog confirmed that the March 2023 data breach revealed a vast range of sensitive details, from pension and payroll information to confidential client records managed by Capita on behalf of public and private sector organizations.
Some of the stolen files even contained criminal histories, financial data, and ‘special category’ information covering individuals’ race, religion, and sexual orientation.
The ICO said the incident was a “serious failure” of Capita’s duty to protect personal information, with investigators uncovering critical lapses in cybersecurity protocols and a slow response that allowed hackers extended access to company systems.
John Edwards, the UK Information Commissioner, did not mince words: “Capita failed in its duty to protect the data entrusted to it by millions of people.
The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
The ICO split the fine between Capita (£8 million) and its subsidiary Capita Pension Solutions (£6 million), which manages data for over 600 pension schemes. Around 325 organizations were affected by the breach linked to the pension arm.
The ICO noted that Capita lacked “appropriate technical and organizational measures” to manage the attack and safeguard personal information effectively.
We have fined Capita £14 million for failing to ensure the security of personal data when a data breach in 2023 saw hackers steal millions of people’s information.
For some people this included details of pension records, financial data and even special category data. pic.twitter.com/ry5A9TGKov
— ICO – Information Commissioner’s Office (@ICOnews) October 15, 2025
Originally, the fine was expected to reach £45 million, but regulators agreed to reduce it after the company cooperated, improved its defenses, and supported those impacted by the breach.
Capita said in a statement: “We regret the incident and can reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”
Chief Executive Adolfo Hernandez, who took over in 2024, said the company had since taken major steps to overhaul its cybersecurity.
“When I joined as CEO the year after the attack, I accelerated our cybersecurity transformation, with new digital and technology leadership and significant investment.
As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections, and embedded a culture of continuous vigilance.”
According to the ICO, the breach began on 22 March 2023, when an employee accidentally downloaded a malicious file.
Despite an internal alert being raised within ten minutes, the affected device was not isolated for nearly 58 hours.
That delay proved costly. The intruder gained administrator privileges, moved laterally across Capita’s network, and deployed ransomware by 31 March, forcing a system-wide lockdown and password reset.
The watchdog noted that Capita’s target response time should have been one hour.
The company had already estimated losses of up to £25 million in the aftermath of the attack, covering investigation fees, system recovery, and additional cybersecurity investments, before factoring in this latest fine.
The Capita breach was among several high-profile UK cyber incidents in 2023, joining the likes of WH Smith, Royal Mail, and Jaguar Land Rover.
Analysts say the rise in ransomware and data theft attacks underscores the urgent need for stronger data protection standards across large UK enterprises.
The ICO described the Capita case as a “stark reminder” of the risks posed by outdated systems and poor cyber hygiene in critical service providers.
For Capita, the damage goes beyond the fine; it’s a reputational blow that has shaken confidence in one of the UK’s largest outsourcing firms.
As businesses continue to digitize operations, experts warn that robust cybersecurity measures are no longer optional, they are essential defenses against a growing tide of sophisticated cyber threats.
