United Kingdom: Information Commissioner’s Office reached settlement with Capita over data security breaches

On 10 October 2025, Capita plc and Capita Pension Solutions Limited entered into a settlement agreement with the Information Commissioner to resolve the investigation into the March 2023 cyber incident. The companies made full admissions regarding the Commissioner's findings of infringement and agreed to pay reduced penalties totalling GBP 14 million. The settlement saw the initially proposed penalties of GBP 25 million for Capita plc and GBP 20 million for CPSL substantially reduced to GBP 8 million and GBP 6 million, respectively. The Commissioner acknowledged that the settlement enabled time and cost savings whilst achieving regulatory certainty sooner by avoiding a potentially lengthy appeal process. As part of the agreement, the Capita entities admitted breaches of UK GDPR Articles 5(1)(f) and 32 relating to their failures to implement appropriate security measures, including Active Directory tiering and timely response to security alerts, and agreed not to appeal the Commissioner's decision.