Capita Fined £14M for Cybersecurity Over Hack That Exposed Data of 6.6 Million People
The UK’s data regulator has fined outsourcing giant Capita £14 million after a cyber-attack in 2023 exposed the personal data of 6.6 million people — including sensitive details like financial records, passport images, and even criminal history.
The Information Commissioner's Office (ICO) slammed the company for “failing to ensure the security of personal data,” calling the breach both preventable and harmful. “Capita failed in its duty to protect the data entrusted to it by millions of people,” said John Edwards, the Information Commissioner. “This breach and its impact could have been prevented had sufficient security measures been in place.”
What Went Wrong?
The attack happened in March 2023, when a malicious file was accidentally downloaded onto a Capita employee’s device. Although the breach was detected quickly, the infected machine was not isolated for nearly 58 hours — giving hackers enough time to exploit the system, install ransomware, and steal nearly one terabyte of data. The attackers also reset all user passwords, locking out Capita staff and causing significant operational disruption.
Capita manages admin services for hundreds of organisations, including 325 pension schemes that were affected. Victims included customers of Capita’s clients, as well as internal staff. Some of the data stolen was extremely sensitive, including criminal records, financial information, and what’s known as “special category data” — details like race, religion, and sexual orientation.
After the breach, some of this data began circulating on the dark web, sparking real anxiety for those affected. The ICO noted that many victims reported stress and uncertainty after learning their personal information had been compromised.
Fine reduced to £14 million
The ICO originally proposed a £45 million fine — one of the largest in UK history — but reduced it to £14 million after Capita acknowledged its failures, made security upgrades, and cooperated with both regulators and the National Cyber Security Centre (NCSC).
According to the watchdog, the company's security operations were under-resourced, it failed to fix known vulnerabilities, and hadn’t tested its defences properly — all despite handling millions of private and sensitive records.
“When a company of Capita’s size falls short, the consequences can be significant,” Edwards said. “Not only for those whose data is compromised... but for wider trust among the public.”
Capita’s current CEO Adolfo Hernandez, who took over after the breach, said the company has since "hugely strengthened" its cybersecurity systems. “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies,” he said. He also said he had accelerated a cybersecurity transformation, brought in new leadership, and invested heavily in protections and continuous monitoring.
The company expressed regret for the incident and confirmed that all affected individuals had been contacted after a detailed forensic investigation.
Multitude of high-profile cyberattacks witnessed across UK
Capita’s fine comes amid a spike in high-profile cyberattacks across the UK. Other major companies like M&S, Co-op, Jaguar Land Rover, and Harrods have also been hit, prompting warnings from national security services.
Just this week, the NCSC said the number of “nationally significant” attacks has more than doubled, and urged businesses to prepare contingency plans — on paper, in case they lose access to their systems during an attack. Security experts say the fine sends a clear message.
“Companies being held financially accountable for data protection failings is a good thing,” said Trevor Dearing from cyber firm Illumio. “[It] tells victims that their stolen data does matter.”
As data breaches become more common — and more costly — the message is clear: even the biggest companies can't afford to cut corners on cybersecurity.
