Capita Fined £14M by the UK’s Information Commissioner’s Office (ICO) for a 2023 data breach that exposed the personal information of 6.6 million people. The cybersecurity incident impacted hundreds of organizations across the UK, including pension providers, government agencies, and private sector clients.
Breach Exposed Millions of Records
Capita, a major UK outsourcing and professional services firm, offers digital, consulting, and software solutions to clients such as the NHS, the Ministry of Defence, and local councils. The company employs around 34,000 people and reports annual revenues of £3 billion.
According to the ICO’s report, the data breach affected over 325 pension schemes and numerous other Capita clients. Initially, the regulator proposed a penalty of £45 million, but this was reduced to Capita Fined £14M after the company accepted responsibility, strengthened its cybersecurity framework, and provided protective measures for affected individuals. The fine includes £8 million for Capita plc and £6 million for Capita Pension Solutions Limited. The ICO confirmed that the incident resulted in nearly one terabyte of sensitive data being stolen.
Capita Fined £14M includes £8 million for Capita plc and £6 million for Capita Pension Solutions Limited. The ICO confirmed that the incident resulted in nearly one terabyte of sensitive data being stolen.
Attack Originated from Malicious File Download
The cyberattack began on March 22, 2023, when a Capita employee downloaded a malicious file that infiltrated the company’s internal network. Although the breach was detected within ten minutes, the infected device remained active for another 58 hours before being isolated.
This delay allowed attackers to spread laterally across Capita’s systems, gain administrator privileges, and access multiple sensitive databases. During this time, the hackers exfiltrated large volumes of confidential data.
On March 31, 2023, ransomware was deployed, locking users out of company systems. The Black Basta ransomware group later claimed responsibility, threatening to leak stolen files unless a ransom was paid. Capita responded by taking parts of its Microsoft 365 environment offline and notifying affected clients. The Capita Fined £14M case highlights the consequences of insufficient cybersecurity vigilance for large corporations.
In its statement, the ICO emphasized that Capita’s delayed response and weak access controls contributed significantly to the scale of the breach. Investigators noted the absence of a tiered admin account model, a shortage of security operations staff, and a lack of regular penetration testing and risk management exercises.
Company Strengthens Cybersecurity Measures
Following the breach, the company has implemented several key security improvements to prevent similar incidents. These include enhanced monitoring of its network, stricter access control policies, and expanded training for staff to identify potential cyber threats.
CEO Adolfo Hernandez said the company has made “significant investments” in improving its cybersecurity resilience since the 2023 attack. He confirmed that Capita Fined £14M will not affect Capita’s previously announced investor guidance, signaling financial stability despite the penalty.
The ICO’s final decision highlights the growing regulatory emphasis on corporate accountability for cybersecurity failures. Organizations that manage large volumes of personal or client data are now expected to demonstrate proactive risk management and timely responses to incidents.
For businesses, the Capita Fined £14M incident serves as a reminder of the need for strong cyber hygiene practices. Timely detection, employee awareness, and regular system audits are essential to prevent attackers from exploiting vulnerabilities.
This breach stands among the largest corporate data incidents reported in the UK in recent years, underlining the ongoing threat of ransomware and the critical importance of robust cybersecurity frameworks.
Also Read: Asahi Group Investigates Potential Data Exposure After Ransomware Attack
