Capita, one of Britain’s largest outsourcing firms, has been fined £14 million for data protection failings linked to the 2023 cyberattack that exposed the personal details of 6.6 million individuals, including pension members and corporate employees.
The Information Commissioner’s Office (ICO) said Capita “failed to ensure the security of processing of personal data which left it at significant risk.” The breach, which affected 325 pension schemes, followed a two-day delay in isolating a compromised device. The regulator found that known vulnerabilities had been left unresolved, the security operations centre was understaffed and response times routinely fell below internal targets.
The ICO originally proposed a £45 million penalty, but reduced it to £14 million - £8 million against Capita plc and £6 million against Capita Pension Solutions - after considering improvements made since the incident, including new cyber controls, customer support measures and cooperation with the National Cyber Security Centre. Capita accepted the settlement and admitted liability.
John Edwards, the UK Information Commissioner, said the firm “failed in its duty to protect the data entrusted to it by millions of people,” adding that the scale of the breach “could have been prevented had sufficient security measures been in place.” He warned that “no organisation is too big to ignore its responsibilities,” according to statements reported by The Guardian and the ICO.
The attack began when a malicious file was downloaded to an employee’s device on March 22, 2023. Despite an automated alert within 10 minutes, the machine was not quarantined for 58 hours, giving attackers time to infiltrate systems, obtain administrator rights and remove nearly a terabyte of information. Ransomware was later deployed, resetting passwords and cutting staff access.
The data included financial details, criminal record information and “special category” material such as race, religion or sexual orientation. Some of the stolen data surfaced on the dark web in the weeks after the incident.
Capita offered 12 months of credit monitoring through Experian and established a dedicated call centre for affected individuals. According to the ICO, about 260,000 people activated the service.
The fine underscores the mounting financial consequences of cyber negligence as attacks on British firms multiply. The NCSC this week reported a doubling in nationally significant incidents, urging businesses to ensure they could function “if your IT infrastructure [is] crippled tomorrow and all your screens [go] blank.”
Cyber specialists said the case sets a clear precedent. “Companies being held financially accountable for data protection failings is a good thing,” said Trevor Dearing of Illumio, quoted by BBC News. “It sends a message to the market that regulators are serious.”
Capita’s chief executive, Adolfo Hernandez, appointed after the breach, said the company had “hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance,” according to The Guardian. He described Capita as “among the first in the recent wave of highly significant cyberattacks on large UK companies.”
In its subsequent filings, the company disclosed that the incident had cost £25.3 million in 2023, with later expenses of £1 million in 2024 and £3 million in the first half of 2025. Each figure was reported net of insurance receipts, suggesting that Capita had partial cyber cover. Its 2024 report confirmed a credit of £0.4 million from insurance recoveries during that period.
The case is being closely watched by underwriters and brokers in the cyber market, where questions persist about coverage adequacy and policy wording. Capita’s experience demonstrates how regulatory penalties, reputational damage and operational disruption can far exceed the limits of standard insurance indemnity.
For insurers, the £14 million fine - alongside Capita’s reported £29 million in net remediation costs - offers a cautionary illustration of accumulation risk within outsourced service chains handling sensitive data for public and private sector clients.
