The Information Commissioner’s Office's (ICO) £14 million penalty against Capita plc and Capita Pension Solutions Limited (CPSL) marked one of the most significant UK data protection enforcement actions in recent years. Issued in October 2025, the penalty followed the major March 2023 data breach, which led to the theft of personal data belonging to 6.6 million individuals and affected more than 325 organisations.

In its Monetary Penalty Notice (MPN), the ICO sets out clear lessons for UK organisations handling personal data, particularly those processing large volumes of sensitive information. This article highlights what happened, why the ICO took enforcement action and the practical steps organisations should take to strengthen their data protection and cyber security posture.

What happened?

The initial breach occurred when a malicious JavaScript file was downloaded onto an employee’s device. This allowed attackers to enter Capita’s network, deploy ransomware and extract nearly one terabyte of data.

Capita’s systems raised an internal P2 High alert indicating malicious activity on 22 March 2023, but the Security Operations Centre (SOC) did not respond to this high priority for 58 hours. Once the SOC acted, it quarantined the device, installed antivirus software and changed the user's password. However, this response time far exceeded Capita's internal one hour target. During the 58 hour window, attackers escalated privileges, moved laterally across the Capita systems and locked out Capita staff.

The compromised data included names, National Insurance numbers, bank details, passport scans, biometric data and special category data such as health records and union membership.

Capita’s response to the breach

After the breach, Capita took several steps, including:

  • restricting administrator accounts through Active Directory tiering to control system access and prevent lateral movement across the network;
  • deploying a more effective asset management system; and
  • doubling the number of SOC analysts (from what was merely one SOC analyst on shift at the time of the breach).

The ICO emphasised in its MPN that these were reactive measures. Post‑incident improvements do not remove earlier failures, especially where basic preventative steps were missing.

The ICO’s findings on the Capita breach

In its MPN, the ICO identified several failings that contributed to the Capita data breach and fell below expected standards for handling personal data. Capita plc, as controller, was found to have breached:

  • Article 5(1)(f) – failing to process personal data securely
  • Article 32(1)(b) – failing to ensure the confidentiality, integrity, availability and resilience of systems
  • Article 32(1)(d) – failing to regularly test and evaluate security measures
  • Article 32(2) – failing to assess and address risks arising from its processing activities

CPSL, as processor, breached Articles 32(1)(b), 32(1)(d) and 32(2).

Four areas of failure identified by the ICO

1. Failure to prevent privilege escalation and lateral movement

Capita had not implemented Active Directory Tiering or Privileged Access Management (PAM). These measures restrict administrative access and help prevent attackers who compromise lower‑tier accounts from reaching higher‑level systems.

Without them, attackers were able to move across domains and escalate privileges without restriction. Penetration tests had highlighted these gaps on at least three occasions before the breach, but they were not addressed. The ICO noted that Capita “had decided to accept the risk”, signalling its concern where organisations identify but fail to address known risks.

2. Delayed response and under‑resourced security operations

A high‑priority alert was raised within 10 minutes of the breach, yet Capita’s SOC took 58 hours to respond. Only one analyst had been on shift. The ICO found this level of resourcing inadequate for an organisation of Capita’s size and said the delay directly enabled the attackers to extract data.

The ICO also noted that Capita could have increased SOC capacity much earlier, as shown by the doubling of SOC analysts after the incident.

3. Inadequate penetration testing

Capita systems processing millions of records, including special category data, were only tested when first commissioned. There was no regular or ongoing penetration testing, and findings were not shared across the organisation.

Capita said that individual business units managed their own testing. The ICO responded that for “an organisation with a large and complex network infrastructure such as Capita”, it is even more important that findings and remediation advice are shared widely so that other parts of the organisation can act on them. While a single organisation‑wide test may not always be practical, the ICO expects learnings to be passed on to all relevant teams.

4. Aggravating factors

The ICO also considered Capita’s size, resources and experience as aggravating factors. It stated: “Given Capita’s size and resources, as well as its experience in personal data processing… the Commissioner considers that Capita plc bears a higher degree of responsibility for the infringements.” As a large and well‑resourced processor of sensitive data, Capita was expected to meet higher standards of security and governance.

The ICO’s penalty and regulatory outcome

The ICO imposed a combined £14 million penalty:

  • £8 million against Capita plc as controller
  • £6 million against CPSL as processor

The initial penalty was £58 million but was reduced due to mitigating factors, including post‑incident improvements and cooperation with authorities. The Capita entities entered a voluntary settlement agreement and admitted the infringements.

The ICO considered the final penalty to be an “effective, proportionate and dissuasive measure”.

Key learnings for UK organisations handling personal data

The Capita case provides clear lessons for organisations processing personal data:

1. Put essential security measures in place

The MPN states that Active Directory Tiering and PAM are now essential components of an effective security strategy for large organisations handling sensitive data. Organisations should also carry out regular penetration testing and ensure findings are shared across the organisation.

2. Respond quickly to security alerts

SOC teams should be resourced to respond to high‑priority alerts within industry‑standard timeframes, typically one hour. Delays give attackers time to escalate activity and extract data.

3. Strengthen governance and board‑level oversight

Cyber resilience should form part of governance frameworks. Boards should understand the organisation’s security posture and ensure that processors also meet required standards.

4. Processor independent security obligations

Processors bear their own independent security obligations under Article 32 UK GDPR and cannot rely on shared group controls or controller oversight to discharge those duties. Pension scheme administrators acting as data processors must ensure they have robust technical and organisational measures in place to protect the large volumes of special category data they process on behalf of scheme trustees.

What this means for UK organisations

The Capita case is a reminder that proactive cyber risk management and timely incident responses are essential. The ICO’s findings show that:

  • known risks must be addressed
  • incident response must be prompt
  • governance must be active and accountable

For organisations handling personal data, the measures highlighted in the MPN now represent baseline expectations from both a regulatory and client risk‑management perspective.

Ready to strengthen your organisation’s cyber resilience?

The Capita decision is a clear reminder that strong security measures, timely incident response and active governance are now baseline expectations for UK organisations handling personal data. Taking steps to review your current approach can help ensure you are prepared, resilient and able to demonstrate compliance when it matters most.

If you’d like support as trustees reviewing your scheme’s cybersecurity measures, get in touch with our Pensions team.

If you’d like support assessing your organisation’s readiness or understanding what this decision means for you, get in touch with our Cyber Security and Resilience team.