United Kingdom: Information Commissioner’s Office fined Capita GBP 14 million over data security breaches

On 15 October 2025, the UK Information Commissioner's Office (ICO) imposed penalties totalling GBP 14 million on Capita, with Capita plc being fined GBP 8 million and Capita Pension Solutions Limited GBP 6 million for breaches of the UK's General Data Protection Regulation (GDPR) data security requirements. The ruling highlighted that a March 2023 ransomware attack resulted in the exfiltration of 6,656,037 personal data records, including sensitive financial and special category data. The ICO found that Capita failed to implement appropriate technical measures to prevent unauthorised lateral movement within its network despite penetration tests identifying these vulnerabilities as early as August 2022. It also found that its security operations centre took 58 hours to respond to a critical security alert against a one-hour target, allowing threat actors to escalate privileges and access data across multiple domains.