The Information Commissioner’s Office (ICO) has fined Capita £14m for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.
In a statement issued yesterday (14 October), the regulator said Capita plc had been fined £8m and Capita Pension Solutions had been fined £6m, giving a combined total of £14m.
The ICO said the cyber-attack, which took place in March 2023, saw the personal information of 6.6 million people stolen from the pension and staff records that Capita holds on behalf of its customers.
It said that, for some people, this included sensitive information such as details of criminal records, financial data or special category data.
The ICO said its investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack.
UK information commissioner John Edwards said: "Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
"When a company of Capita's size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities."
Edwards added: "Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber-attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people's data secure. Cyber criminals don't wait, so businesses can't afford to wait either - taking action today could prevent the worst from happening tomorrow."
The ICO said it had initially informed Capita of its provisional intention to fine it a combined total of £45m. It said that Capita had then submitted representations and mitigating factors on the provisional decision – including the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre.
The ICO said it has now agreed a voluntary settlement with Capita – with Capita having acknowledged the ICO's decision, admitted liability and agreed to pay a final penalty of £14m without appealing.
Capita said it is committed to upholding the security of its data and protection of its systems for its clients and their customers. It said it regretted the incident – reaffirming that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.
Capita chief executive (CEO) Adolfo Hernandez: "As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies."
"When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance."
Hernandez added: "Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today's settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people and wider society."
Capita said, reflecting the impact of the £14m penalty, it now expected free cash outflow before the impact of business exits of between £59m and £79m, with no other changes to the previous guidance of £45m and £65m.
It said it continued to expect to be cash positive from the end of 2025 – adding its full year 2025 guidance, together with its medium-term targets also remain unchanged.
