The UK’s data protection regulator has fined outsourcing giant Capita £14 million for “serious and systemic failures” that led to a massive cyber-attack exposing the personal information of 6.6 million people across the country.
The Information Commissioner’s Office (ICO) said the March 2023 breach, one of the most severe in recent corporate history, was the result of “basic cyber hygiene failures” that allowed hackers to steal nearly one terabyte of sensitive data. The compromised information included financial details, employment records, criminal background checks, and “special category” data revealing individuals’ health, ethnicity, religion, and sexual orientation.
Capita, which provides services to local councils, NHS trusts, and private sector clients, detected the attack within ten minutes but failed to isolate the infected device for nearly 58 hours. The delay, investigators found, gave cybercriminals enough time to install ransomware and exfiltrate vast amounts of data.
The ICO concluded that Capita’s cybersecurity measures were “well below expectations” for a company handling millions of citizens’ records. It cited known vulnerabilities, an understaffed security team, and insufficient testing of network defences. The regulator said the firm’s shortcomings caused “significant distress and anxiety” to millions whose personal data was exposed.
The £14 million penalty includes £8 million for Capita plc and £6 million for Capita Pension Solutions, reflecting the wide range of affected clients, including major pension schemes. An initial fine of £45 million was reduced after the company cooperated with regulators and the National Cyber Security Centre (NCSC) and took steps to strengthen its cyber defences.
Information Commissioner John Edwards said the breach demonstrated “the devastating consequences of failing to respond swiftly and decisively to known cyber threats.”
“This incident exposed the personal information of millions of people to potential misuse and caused substantial anxiety and inconvenience,” Edwards said. “While we recognise Capita’s cooperation and remediation, organisations of its scale must ensure data protection is central to their operations.”
Capita’s chief executive, Adolfo Hernandez, said the company had been among the first victims in a series of sophisticated attacks targeting UK businesses. “We have since invested heavily in cyber resilience and security monitoring to protect our systems and clients’ data,” he said.
The breach disrupted several public contracts, including teachers’ pensions administration, prompting government departments to reassess third-party cybersecurity risks.
Cybersecurity experts say the case underscores how quickly breaches can escalate. Andy Ward, senior vice president at Absolute Security, said: “Every hour of delay multiplies the potential damage. True resilience isn’t just about prevention — it’s about rapid detection, containment, and recovery.”
The Capita incident ranks among the most significant UK corporate breaches since the 2017 WannaCry attack on the NHS. Regulators say it serves as a stark reminder that underinvestment in cybersecurity and slow response times can result in major financial and reputational consequences.
