Capita, the United Kingdom’s largest outsourcing company, has been handed a record fine of £14 million ($18.7 million) by the Information Commissioner’s Office (ICO) after a catastrophic ransomware attack in March 2023 exposed the personal data of 6.6 million people. The ICO, Britain’s data watchdog, announced the penalty on October 15, 2025, citing Capita’s “failure to ensure the security of processing of personal data which left it at significant risk.”
The breach, orchestrated by the notorious Black Basta ransomware group, compromised a vast trove of sensitive information. Stolen records included names, addresses, dates of birth, pension and staff details, and, in some cases, financial information like credit card numbers, CVVs, and even criminal records. According to BBC, some of this data was later found circulating on the dark web, raising the stakes for those affected and amplifying public outcry over Capita’s security failings.
Capita, which provides business support services to government and private sector clients alike, manages personal data for more than 600 pension schemes—325 of which were directly impacted by the breach. The attack not only exposed millions of individuals’ private details but also triggered major IT outages, disrupting customer-facing services at public sector bodies and operators of critical national infrastructure across the UK. Staff at affected organizations found themselves unable to answer calls or forced to revert to pen-and-paper methods, a scenario that underscored the real-world consequences of digital vulnerabilities.
The ICO’s investigation painted a damning picture of Capita’s cybersecurity posture at the time of the attack. The breach began when an employee unwittingly downloaded a malicious JavaScript file on March 22, 2023. Despite a high-priority alert being generated within 10 minutes, Capita failed to quarantine the compromised device for 58 hours. During this window, attackers were able to deploy the Qakbot malware and the Cobalt Strike intrusion tool, exfiltrate nearly a terabyte of data, and ultimately deploy ransomware that reset all user passwords by March 31.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” said John Edwards, the UK’s Information Commissioner, in a statement quoted by multiple outlets including Cybernews and BBC. Edwards further emphasized, “When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organization is too big to ignore its responsibilities.”
The ICO’s penalty—£8 million for Capita plc and £6 million for Capita Pension Solutions Limited—was originally set to be much higher. In fact, the regulator had initially planned to levy a fine of £45 million ($60 million), but this was reduced after Capita presented mitigating factors. These included improvements to its cybersecurity infrastructure, support offered to those affected, and active engagement with the ICO and other regulators, including the National Cyber Security Centre (NCSC). Capita’s CEO, Adolfo Hernandez, expressed relief at the conclusion of the matter, stating, “When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.”
However, not everyone is satisfied with the outcome or the size of the fine. Dr. Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society, told Cybernews, “Practically speaking, the fine equates to £2 pounds per victim. Given that highly sensitive data was compromised in this disastrous data breach, it may seem to be a very lenient penalty, to put it mildly.” Similarly, Adnan Malik, head of data protection at Barings Law, which is representing thousands of affected individuals in ongoing legal action against Capita, argued that the fine—less than 1% of Capita’s annual revenue—does little to address the harm caused. “It does little to set right the harms caused by the firm’s inadequate cyber security procedures, which led to the loss of highly sensitive data, including benefits and pension records,” Malik said, according to The Guardian. He added, “This fine, and mounting legal proceedings, should be a wake-up call to any firm still playing fast and loose with its customers’ data.”
The ICO’s findings also highlighted a series of technical and organizational failings at Capita. The company’s Security Operations Centre (SOC) was often understaffed, typically with just one analyst per shift. Automated response and escalation protocols were lacking, and the endpoint detection and response (EDR) software failed to escalate the threat appropriately when Qakbot and Cobalt Strike were detected. The regulator noted that Capita had provided contradictory information about how quickly it had responded to the initial breach, further complicating the investigation.
The attack’s fallout extended beyond direct financial and reputational costs. The ICO received complaints from individuals who suspected that money had been stolen from their accounts as a result of the breach. The incident also contributed to a broader sense of unease about the security of personal data held by large organizations, especially as the UK has seen a marked increase in high-profile cyber-attacks in recent years. Earlier in 2025, retailer Co-op suffered a breach affecting 6.5 million customers, and similar incidents have hit M&S, Harrods, and Jaguar Land Rover. The NCSC has confirmed an uptick in nationally significant cyber-attacks and has advised organizations to prepare contingency plans—on paper, no less—in case of further digital disruptions.
The Black Basta ransomware group, which claimed responsibility for the Capita attack, has since become inactive following law enforcement action and a major internal data leak in early 2025. While some observers speculate that the disappearance of stolen Capita documents from Black Basta’s extortion site could indicate a ransom payment or negotiation, Capita has declined to comment on this point, and regulators have made no findings of wrongdoing in this regard.
For those affected, the story is far from over. Thousands are pursuing legal action against Capita, seeking redress for the anxiety, financial loss, and privacy violations they have endured. And for the wider corporate world, the case stands as a stark reminder: robust cybersecurity is not just a technical requirement but a fundamental duty owed to every individual whose data is entrusted to a business. As regulators, legal experts, and the public watch closely, the consequences of Capita’s failings will continue to reverberate across the landscape of digital trust.
