Key takeaways from Capita’s £14 million ICO fine

October 2025

“Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.” John Edwards, UK Information Commissioner

The ICO has hit Capita (Capita plc and Capita Pensions Solutions Ltd) with a combined £14 million fine following a cyber-attack in 2023. Capita avoided a much bigger fine by admitting liability, promising not to appeal and taking mitigating actions. 6.6 million people were affected by the data breach and 325 organisations who used Capita Pensions for their pension schemes were also impacted.

What can other organisations big and small, learn from this case?

What went wrong?

In summary,

The attack began when an employee unintentionally downloaded a malicious file giving the hackers access to company systems.
This triggered a security alert after just 10 minutes, but Capita took a further 58 hours to quarantine the compromised device.
Criminals were given enough time to deploy malicious software onto the Capita network and were able to move laterally across Capita’s system, exfiltrating data including special category data, financial and criminal records.
Nine days after the attack, ransomware was deployed onto Capita systems. All user passwords were reset, preventing staff from accessing their systems and network.

Let’s not forget it’s always easy to see the mistakes in hindsight.

Key ICO findings

The ICO investigation found Capita failed to implement appropriate technical and organisational measures, as required under UK GDPR, to safeguard and protect the data they held. This included:

Failure to prevent privilege escalation and unauthorised lateral movement – effective privilege access management or Active Directory tiering had not been implemented.
Failure to remedy known vulnerabilities – the above vulnerabilities had been flagged up on at least three previous occasions, but had not been unaddressed.
Failure to respond appropriately to security alerts – the Security Operations Centre was found to be understaffed and in the six months before the incident was falling well below internal target response times for security alerts.
Inadequate penetration testing and risk assessment –systems processing millions of records were not always subject to routine penetration tests. Where penetration tests had taken place, the findings were siloed within business units and not addressed universally.

Key mitigating actions taken

Originally the ICO indicated a more substantial fine of £45 million. However, Capita was able to reduce this by taken mitigating actions including:

a) Significant investment to improve its information security architecture
b) Support for those affected by the breach, including a dedicated call centre and credit monitoring services
c) Active co-operation with the ICO and the National Cyber Security Centre (NCSC).

5 key takeaways

1) Implement privilege access management or Active Directory tiering

This case underscores the importance of implementing robust access controls and applying the ‘Principle of Least Privilege’ across all systems holding personal or otherwise confidential / sensitive data. Employees (and other workers) should only have the minimum access rights needed to perform their role.

This will help to prevent hackers who gain access from being able to move laterally around your systems.

In simple terms, Privileged Access Management (PAM) is a set of security strategies which control and monitor access across your IT environment. It’s aim is to prevent unauthorised access or misuse of high-level accounts, apps or services. Active Directory tiering, as the name suggests, creates administrative tiers based on the sensitivity of different assets.

2) Fix known vulnerabilities, and pronto!

This case highlights how known vulnerabilities must be prioritised. Don’t put them in the ‘too difficult tray’. Make sure you have adequate budget and resources to remedy them.

3) Implement routine penetration tests

Penetration tests at Capita had flagged high-risk issues before the attack took place. If these had been addressed? Well, I might not be writing this article.

4) Create a robust information security incident plan

Despite having an internal target of ‘one-hour’ to respond to high priority alerts, Capita took 58 hours to contain the incident. A robust incident plan isn’t a nice to have, it’s a must have. Response time sand service levels must be met. This will go a long way to help making sure any response to a significant incident is as effective and efficient as possible. Where possible practice your plan, review it and tinker with it. Be sure to make it clear which roles are responsible for what and when.

Organisations are also being advised to have paper copies of their critical incident documentation in case electronic systems can’t be accessed. Combatting the cyber threat

5) Keep raising awareness

You simply can’t do too much to alert your people to the risks of increasingly sophisticated malicious attacks. Don’t just rely on annual training, keep pressing the message home via internal communications, town halls, posters – whatever works best.

This case serves as a massive reminder there are proactive steps we can take to reduce security risks. We’ve seen how devastating attacks can be for organisations such as Capita, M&S, JLR and the Co-op. In some cases, a significant cyber-attack will completely bring a company to their knees.

The ICO has published resources to help including guidance on protecting systems from ransomware attacks. The National Cyber Security Centre (NCSC) has recently launched a new Cyber Action Toolkit specifically aimed as small businesses.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.