410/68 Friday, October 17, 2025
The UK Information Commissioner’s Office (ICO) has fined Capita £14 million (approximately $18.7 million) following a 2023 data breach that exposed the personal information of more than 6.6 million individuals. Capita is one of the UK’s largest outsourcing and business consulting firms, providing services to government bodies such as local councils, the National Health Service (NHS), the Ministry of Defence, as well as the financial, energy, and telecommunications sectors, with over 34,000 employees.
ICO’s investigation found that the breach impacted hundreds of client organizations, including more than 325 pension funds. The incident occurred in March 2023 after a Capita employee downloaded a malicious file, enabling hackers to infiltrate the company’s internal network for up to 58 hours. Although the system detected the anomaly within 10 minutes, the infected machine was not promptly isolated, allowing attackers to move laterally across the network, access sensitive databases, and exfiltrate nearly 1 terabyte of data before deploying ransomware and resetting all user passwords. The Black Basta ransomware group claimed responsibility, threatening to publish the stolen data if the ransom was not paid.
According to ICO, Capita had multiple security weaknesses, including inadequate access controls, delayed incident response, understaffed security operations center (SOC), and a lack of regular penetration testing or risk assessments. The fine was split between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million). ICO noted that the original penalty of £45 million was reduced because Capita admitted liability, improved its security systems, and offered free personal data monitoring services to affected individuals. Capita’s CEO confirmed that the company has since made additional investments in cybersecurity to prevent similar incidents in the future.
