On 15 October 2025, the Information Commissioner's Office (ICO) imposed a fine of £14 million on Capita plc and Capita Pension Solutions Limited for UK GDPR infringements which it found resulted in a cyber security breach that compromised the data of 6,656,037 individuals. The incident underscores the importance of sufficiently staffing cybersecurity roles, filling gaps in cybersecurity coverage identified by penetration testing, and operating in line with organisational policies.

The ICO found that Capita plc and Capita Pension Solutions Limited (CPSL) (together, the Capita Entities) infringed one or more of articles 5(1)(f), 32(1)(b), (d) and 32(2) of the UK GDPR by failing to implement and use appropriate technical and organisational measures to (i) prevent unauthorised movement within their network, and (ii) respond to security alerts effectively. The ICO's monetary penalty notice sets out its reasons for the fine.

In addition to the ICO's enforcement action, the Capita Entities are also defending a multi-party claim by several thousand individuals allegedly affected.

What happened? 

The Capita Entities provide business process outsourcing and professional services for a range of private and public sector firms.

On 22 March 2023, a hacker gained access to the Capita Entities' network after an employee downloaded a malicious JavaScript file. Once inside the network, the hacker downloaded malware, including Qakbot (also known as Qbot) a well known trojan. The hacker was able to gain higher levels of access within the Capita Entities' network by logging on with a domain administrator account, thereby achieving privilege escalation, in under five hours. The Capita Entities became aware of the attack on 31 March 2023.

Over 29-30 March 2023, the hacker exfiltrated ~974.84GB of data relating to 6,656,037 individuals from the Capita Entities. Much of this was personal data (which included special category data), including personal identity records, such as contact information, and bank account and passport details, as well as health information and criminal record information. 631,816 data subjects for whom Capita Entities were the data controller and 6,024,221 data subjects for whom Capita Entities were the data processor had personal data exfiltrated.

Failings identified by the ICO

The ICO identified two key failings by the Capita Entities:

1. Failure to implement and use appropriate technical and organisational measures to prevent unauthorised lateral movement and privilege escalation within a network for the period between 25 May 2018 and 31 March 2023.

This relates to the hacker's ability to move around the Capita Entities' network and gain higher levels of access having entered it. The ICO found it likely that this could have been prevented if the Capita Entities had Active Directory tiering in place (which ensures administrative accounts only have access to the specific administrative capabilities needed), and that the hacker was able to exploit its absence. The ICO also noted that this weakness had been identified by penetration testing at least three times before the attack, and that the Capita Entities ought reasonably to have been aware of, and rectified, the deficiencies. 

2. Failure to implement and use appropriate technical and organisational measures to respond to security alerts for the period between 1 September 2022 and 31 March 2023.

The ICO found that the Capita Entities took 58 hours to respond effectively to the security alert triggered by the hacker, rather than their one-hour internal target. In this time the hacker was able to move laterally across Capita's environment, exploit vulnerabilities and gain privileged access to other accounts.

UK GDPR infringements

Article 5(1)(f) UK GDPR requires data controllers to implement appropriate technical and organisational measures to ensure that their processing of personal data is demonstrably secure, while article 32 UK GDPR specifies that controllers and processors must ensure a level of security appropriate to the risks involved.

In respect of both failings, the ICO found that: (i) Capita plc had infringed articles 5(1)(f) and 32(1)(b), (d) and 32 (2) UK GDPR in its capacity as a data controller, and (ii) CPSL had infringed articles 32(1)(b), (d) and (2) UK GDPR in its capacity as a data processor.

Key ICO takeaways

As part of its determination, the ICO considered:

• That the Capita Entities' own internal organisational measures stressed the importance of responding to security alerts quickly;
• The existence of technical solutions that could have prevented or mitigated the attack, and the absence of a practical reason for them not to have been implemented;
• The Capita Entities' size and resources, which made it even more reasonable to expect them to implement costly or burdensome technical solutions than may have been the case for a smaller, less well-resourced organisation; 
• The under-resourcing of analysts tasked with monitoring and dealing with security alerts.

ICO fine

On 10 October 2025, the Capita Entities reached a voluntary settlement with the ICO, in which they made full admissions regarding the ICO's findings of infringement. During their negotiations, the Capita Entities suggested that the ICO's imposition of a fine would discourage large outsourcing providers from offering services involving large-scale personal data processing, potentially hindering the growth of the digital economy. The ICO was unsympathetic to this point, (i) considering any such impact on outsourcing providers remote, (ii) emphasising that active enforcement builds public trust in services that process personal data, and (iii) stressing that the ICO's growth duty did not legitimise non-compliance with data protection law. 

The ICO ultimately imposed a £14,000,000 fine on the Capita Entities, £8,000,000 and £6,000,000 on Capita plc and CPSL respectively. Capita plc's turnover for the year ending 31 December 2024 was £2,421,600,000. By way of comparison, the ICO imposed a £3,100,000 fine on Advanced Computer Software Group Ltd on 27 March 2025 (see our article: ICO fines processor after inadequate security measures lead to widespread disruption to critical services).

Neil Spurgeon (and other various claimants) v Capita plc

In addition to the ICO's enforcement action, Capita plc is also defending a multi-party claim by individuals claiming to have been affected by the breach (the Claimants). On 26 March 2024, Barings Law filed a claim on behalf of 3,973 individuals for breaching the Data Protection Act 1998 and UK GDPR. The Claimants claim £1,000,000 to £5,000,000 for the alleged (i) damage caused by the compromise of the Claimants' personal data, and (ii) distress suffered as a result.

Per a court order dated 9 July 2025, an application brought by Capita plc to strike out the Particulars of Claim or parts of it was listed to be heard on 9 and 10 October 2025 in the Media and Communications List of the King's Bench Division. We will wait to see how the case develops within the evolving landscape of data breach group claims (see our articles: Data collective actions: The costs of losing control and Is this the end of the road for data privacy class actions in the UK?).

Conclusion

In the wake of several high-profile data breaches this summer, the consequences faced by the Capita Entities are a timely reminder of the need for firms to prioritise data protection and cybersecurity. In the event that a data breach does occur, firms may be faced with not only ICO action but also group claims brought on behalf of affected individuals.

Firms should:

• sufficiently staff cybersecurity roles;
• fill gaps in cybersecurity coverage identified by penetration testing, especially where clear technical solutions exist;
• strive to operate in line with their own internal organisational policies and measures, in the knowledge that the ICO may later hold them to these standards;
• seek timely legal advice in respect of not only ICO enforcement action, but also potential group claims.