Capita fined £14m after cyber attack triggered by compromised employee device

The question

What can businesses learn from Capita’s recent fine about the steps needed to protect personal data?

The key takeaway

A single compromised device can have a major impact across any organisation. In Capita’s case, it led to months of disruption and a significant ICO fine. The ICO’s findings are a useful reminder that effective data security relies on people, processes and technology working together - from helping staff spot suspicious activity, to monitoring systems properly, to carrying out meaningful penetration testing (in Capita's case at a group wide level).

The background

On 22 March 2023, an employee at Capita accidentally downloaded a malicious file onto their work device. Although an alert was triggered quickly, the device was not quarantined for another 58 hours. During this time, attackers gained access to Capita’s systems and extracted almost one terabyte of data (more than 6.6 million records). A few days later, ransomware was deployed, allowing the attackers to reset passwords and block staff from accessing parts of the network. Full restoration of systems took until mid-June 2023.

The development

In April 2025, the ICO informed Capita that it intended to issue fines totalling £45 million for failing to put in place adequate security measures, in breach of Articles 5(1)(f), 32(1) and 32(2) of the UK GDPR. After considering Capita’s representations and the improvements made since the incident, the ICO agreed a reduced penalty of £14 million. Capita accepted the findings, with the fine split between Capita plc (£8 million) and Capita Pensions Solutions Limited (£6 million). The ICO took into account Capita’s steps to support affected individuals, including offering credit monitoring, setting up a dedicated call centre and commissioning dark-web monitoring, as well as its cooperation with regulators and the National Cyber Security Centre.

The ICO concluded that Capita had not implemented appropriate technical and organisational measures, including:

• insufficient safeguards for personal data, particularly special category data;
• poor controls to prevent attackers moving across the network;
• delays in responding to security alerts; and
• a lack of robust penetration testing and risk assessments.

Why is this important?

This case demonstrates that ICO penalties for security failings can be substantial. But beyond the fine, the operational and reputational impacts of a cyber incident can be even more damaging. The ICO’s findings highlight the importance of clear security processes, fast response times and good communication across an organisation.

Any practical tips?

Based on the ICO’s comments, areas to focus on include:

• following NCSC guidance to help identify potential intrusions early;
• monitoring systems closely and acting promptly on alerts;
• sharing penetration-testing results across the business, rather than keeping them within individual teams;
• prioritising investment in essential security controls; and
• reviewing contracts to ensure responsibilities between controllers and processors are clear and up to date. 

Winter 2025