United Kingdom: Information Commissioner’s Office issued Notice of Intent against Capita over data security breaches

On 3 April 2025, the Information Commissioner’s Office (ICO) issued a Notice of Intent to Capita plc and Capita Pension Solutions Limited proposing penalties of GBP 25 million and GBP 20 million, respectively, for provisional findings of the UK's General Data Protection Regulation (GDPR) breaches relating to the March 2023 ransomware attack. The ransomware attack resulted in the exfiltration of 6,656,037 personal data records, including sensitive financial and special category data. The Notice outlined the Commissioner's assessment that Capita failed to implement appropriate technical and organisational measures to prevent unauthorised lateral movement within their network and to respond effectively to security alerts.