Outsourcing giant Capita has been fined £14 million after a large-scale cyber attack exposed the personal data of more than six million individuals, including highly sensitive information such as pension records, criminal conviction details, and financial data.
The Information Commissioner’s Office (ICO) found that Capita failed to safeguard personal information adequately, leaving the company “at significant risk.” According to the ICO, Capita lacked the necessary technical and organisational safeguards to prevent or respond effectively to the March 2023 breach.
Investigators said that the damage could have been avoided had sufficient cybersecurity controls been in place. Instead of reacting within its target response window of one hour, Capita took 58 hours to address a critical security alert. The delay, coupled with an understaffed security operations centre, allowed attackers to exploit a malicious file inadvertently downloaded by an employee, leading to widespread data exposure.
The ICO’s report highlighted not only the emotional distress caused to those affected but also a broader erosion of public trust in large-scale service providers handling personal information. Capita, which employs around 35,000 staff worldwide, faced potential fines of up to £45 million but received a reduced penalty after accepting responsibility, cooperating with authorities, and taking corrective measures.
Following the incident, CEO Adolfo Hernandez—who assumed the role after the breach—stated that the company had accelerated its cybersecurity overhaul, investing heavily in new digital systems and leadership to strengthen defences and foster a culture of “continuous vigilance.”
The case underscores growing concern over the surge in cyber threats across the UK. The National Cyber Security Centre (NCSC) reported a 50% increase in major cyber incidents involving criminal and state actors this year. High-profile firms such as Jaguar Land Rover, Marks & Spencer, and the Co-op have all suffered disruptions linked to cyber attacks in recent months.
Commenting on the Capita case, UK Information Commissioner John Edwards emphasised the financial and reputational risks of poor cybersecurity.
“With so many cyber attacks in the headlines, our message is clear: every organisation, regardless of size, must take proactive steps to secure personal data,” Edwards said.
The ICO advised companies to prioritise investment in core security infrastructure, maintain continuous monitoring for suspicious activity, and act swiftly upon receiving system alerts—key measures that could prevent costly and damaging breaches in the future.
