Capita Fined £14m for 2023 Cybersecurity Failures

Published: 15 October 2025. The English Chronicle Desk. The English Chronicle Online.

The outsourcing giant Capita has been fined £14 million by the UK Information Commissioner’s Office (ICO) for serious data protection failings that led to one of the largest cyber-attacks in Britain’s recent history. The 2023 breach exposed the personal details of 6.6 million people, including sensitive information belonging to employees and customers of hundreds of companies and pension schemes.

The attack, which unfolded in March 2023, saw hackers gain access to Capita’s systems, steal nearly a terabyte of data, install ransomware, and reset user passwords, effectively locking out the company’s own staff. Despite detecting the breach within 10 minutes, Capita failed to shut down the compromised device for more than two days, allowing the hackers to exploit weaknesses in its network.

Among the data stolen were criminal record checks, financial details, and “special category” information such as race, religion, and sexual orientation. The ICO investigation found that Capita had ignored known vulnerabilities, neglected to adequately staff its security operations centre, and failed to conduct proper system testing.

Information commissioner John Edwards criticised the company’s negligence, saying the breach could have been prevented had “sufficient security measures been in place.” He said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale and impact of this breach are unacceptable. When a company of Capita’s size falls short, the consequences reach far beyond the individuals affected — they undermine public trust in data security.”

Originally, the ICO proposed a £45 million fine, but this was reduced to £14 million after Capita demonstrated significant improvements in its cybersecurity practices and cooperation with the National Cyber Security Centre (NCSC), part of GCHQ. The NCSC recently warned that nationally significant cyber-attacks in the UK have more than doubled in the past year, urging all organisations to prepare contingency plans for potential system-wide failures.

Capita, one of the UK’s largest outsourcing and professional services firms, provides key administrative and IT support for both public and private sector clients. The company has faced intense scrutiny since the breach, especially from pension schemes and local councils that rely on its services.

Capita’s chief executive, Adolfo Hernandez, who took over after the incident, acknowledged the failures but said the company had since undergone a major cybersecurity overhaul. “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies,” Hernandez said. “Since then, we’ve accelerated our cybersecurity transformation, introduced advanced protections, and built a culture of continuous vigilance.”

Cybersecurity experts have described the Capita breach as a wake-up call for UK businesses, warning that many large organisations remain vulnerable due to outdated infrastructure and insufficient investment in digital defences. Regulators and industry leaders have echoed the need for greater transparency, better training, and stronger contingency planning to prevent similar incidents in the future.

The ICO said the case demonstrates that “no organisation is too large to be held accountable for neglecting data protection responsibilities.” For the millions of individuals whose information was compromised, the fine offers some reassurance — but also a reminder of how fragile digital trust remains in an era of growing cyber threats.