ARTICLE
20 November 2025

ICO Fines Capita £14 Million For Data Breaches

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
On 15 October the Information Commissioner's Office ("ICO") in the UK issued a penalty notice decision, fining two companies within the Capita Group a total of £14 million for breaches of UK GDPR...
United States Privacy
Andrew Moir,Peter Dalton, and Miriam Everett
Your Author LinkedIn Connections
Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy, Environment and Law Department Performance topic(s)
  • in United States

On 15 October the Information Commissioner's Office ("ICO") in the UK issued a penalty notice decision, fining two companies within the Capita Group a total of £14 million for breaches of UK GDPR (£8 million for the parent, Capita plc, as data controller and £6 million for a subsidiary, Capita Pension Services Limited "CPSL", as data processor).

This fine ranks as one of the most substantial levied by the ICO to date in respect of cyber breaches (after appeals are taken into account), below the c.£20 million ultimately levied against British Airways, but well above the average level of fine for UK GDPR breaches. In fact, the final figure represents a discount from the ICO's starting point of a combined £58 million fine. Capita settled with the ICO to reduce the penalty by admitting breaches of the UK GDPR and agreeing not to appeal the decision, along with a discount applied to reflect the fact that these were two group companies and to avoid suggestions of "double punishment".

This decision highlights the serious regulatory consequences of cyber security failures, offers an insight into the ICO's expectations and approach, and acts as a timely reminder of the importance of proactive cyber resilience and effective governance.

Background

The ICO's decision concerns a cyber attack in March 2023 which compromised Capita's IT estate and exposed the personal data of over six million individuals, including sensitive personal data containing criminal records, financial details and special category data. The Capita entities held a "very large amount of personal data", both as data controllers and processors, in their roles as part of a business process outsourcing and professional services group. In particular, CPSL acted as data processor for over 600 pension schemes, and the incident impacted over 300 such organisations.

The ICO's findings

The ICO identified several failings which it said amounted to breaches of UK GDPR and in particular its duties to use and implement appropriate technical and organisational measures under Articles 5(1)(f) and 32. Specifically, these include failures to:

  • prevent privilege escalation and unauthorised lateral movement across the Capita network;
  • remedy vulnerabilities known about before the incident, which facilitated privilege escalation and unauthorised lateral movement, which the ICO viewed as making this contravention "particularly egregious";
  • respond appropriately to security alerts, especially considering the 58 hour time to respond to a high priority security alert raised within ten minutes of breach; and
  • conduct adequate penetration testing and, in particular, failure to have regard to the importance of the types of data being processed when deciding whether or not penetration testing was necessary.

The ICO also outlined the measures that it considered Capita should have implemented to remedy these technical and organisational failings. This serves as a useful reminder of how regulators view minimum security standards. For instance, to prevent privilege escalation and unauthorised lateral movement across its IT estate, the ICO said Capita should have had privileged access management ("PAM") and account tiering in place, in accordance with the principle of least privilege (where accounts and users have the minimum access needed to perform their role). PAM involves privileged account management and control, often including features like multi-factor authentication, "just-in-time" access, credential vaulting and session monitoring. In addition, Capita should have conducted more widespread penetration testing to identify and remedy vulnerabilities before the incident. The ICO will "expect a mature Information Security Management System to have a well-established and comprehensive penetration testing program". Notably, the Commissioner considered that "vulnerability scans do not replace the need for penetration testing but both may contribute to a mature vulnerability management programme". However, the ICO's decision does acknowledge that some high risk systems may be out of scope for penetration testing.

As noted the ICO was particularly scathing where vulnerabilities persisted after Capita became aware of them, stating that this suggested that Capita "had decided to accept the risk". This highlights a difficulty for organisations who are seeking to balance security programmes with budget restraints. Regulators are likely to take a dim view of any indication that risks were tolerated rather than addressed, and challenging such findings made with the benefit of hindsight is difficult to do.

In identifying infringements and remedial measures, the ICO referred to several industry standards and frameworks, including National Cyber Security Centre ("NCSC") guidance, the Centre for Internal Security ("CIS") Critical Security Controls ("CIS Controls"), and Implementation Group 3 ("IG3"); ISO 27001; the National Institute for Standards in Technology Cybersecurity Framework ("NIST CIF"); and MITRE ATT&CK framework. The ICO also assessed the group against its own internal security alert response targets, rejecting Capita's argument that such considerations were irrelevant as they did not describe regulatory or contractual obligations. This provides a helpful indication of how the ICO will evaluate the appropriateness of technical and organisational measures, the number of sources it will consider and, by extension, the standards which data controllers and processors should benchmark their performance against. It also again indicates the difficulty organisations have if they fail to follow their own policies, as it is difficult to argue that these do not describe known risks which should have been averted.

As well as assessing the "state of the art" for regulatory purposes, the ICO also considered the other factors provided for in Article 32 UK GDPR, including the costs of implementing remedies, the nature, scope, context and purposes of processing and the likelihood and severity of risks to individuals. It found that the potential for harm to impacted data subjects as a result of the Capita cyber incident "could persist indefinitely" and that while the breaches were not deliberate, Capita's awareness of some of the issues aggravated the breaches which occurred.

The level of fine

The ICO fined Capita a total £14 million for the breaches of UK GDPR identified above, split between Capita plc (£8 million) and CPSL (£6 million). This represented a £44 million reduction on the initial starting point of £58 million, in part as a result of a settlement agreement under which Capita admitted breaches of the UK GDPR and agreed not to appeal the decision. As well as settlement, the following factors were relevant to determining the final level of the fine:

  • The seriousness of the breaches and aggravating and mitigating factors: the substantial fine reflects the ICO's appreciation of the gravity of the breaches, including the high number of data subjects affected (over 6 million), the potential for harm as a result of the nature of the data exposed, Capita's prior awareness of the vulnerabilities and the duration of the breach. The ICO also held Capita to a higher standard due to the size and experience of the group. CISOs and CTOs of large organisations should expect a higher level of scrutiny from regulators. However, mitigating actions taken by Capita after the incident helped reduce the penalty level, so regulatory scrutiny should be factored into post-incident recovery.
  • Outstanding remediation actions: the Commissioner rejected Capita's argument that no further enforcement was required by the ICO because it had "already taken all steps reasonably available ... to learn the lessons of this incident". Instead, a fine was necessary as Capita still had work to do to improve its security. This is also indicative of the fact that regulators may see post-incident remedial action in a different light and, again, with the benefit of hindsight. Remediation of vulnerabilities identified as a result of an incident is clearly necessary and will be expected, but may also be seen as evidence of underlying failures prior to the remediation being implemented, pointing to the need for ongoing security posture improvement rather than a responsive approach.

The ICO also dismissed a number of legal arguments challenging the applicability of the fining regime in the UK GDPR, including an attempt to argue that the current Data Protection Fining Guidance, published in March 2024, was a penal regime which engaged the European Convention on Human Rights and was not sufficiently legally certain. The Commissioner confirmed that the fining regime "is sufficiently certain, precise and foreseeable and the penalty has a clear and unambiguous basis in the DPA and UK GDPR".

Capita also argued that separately fining two companies within the same group was disproportionate and amounted to "double punishment". This was dismissed by the ICO as an argument not to fine both companies. Both Capita entities owed their own obligations as a data controller and processor respectively, and each independently breached those obligations. However, the ICO did take this into account in reducing its initial fine calculation from £58 million to just over £20 million, before the further discount due to Capita settling. In a positive outcome for large groups with complex corporate structures, the ICO also indicated that where infringements arise from the same set of security measures, it may not be effective or proportionate to take action against more than one data controller or processor in a group.

Key takeaway points

  1. This significant fine may indicate a more robust enforcement approach by UK regulators. In recent years, after a number of very high fines following the introduction of the GDPR, it had been rarer to see the ICO issuing very significant fines in respect of cyber incidents. The UK government has been keen to promote enforcement where needed and has indicated an intention to increase regulation, including under the recently published Cyber Security Resilience Bill, which, amongst other things, increases the ability of critical national infrastructure regulators to recover their costs of enforcement from infringing organisations, in addition to the fines levied.
  2. The level of fine also speaks to the seriousness with which the ICO takes cyber incidents where there is evidence that technical and organisational measures have fallen below regulatory expectations, as well as the importance placed on the overall potential for damages in particular with reference to numbers of data subjects impacted. Organisations which process large volumes of personal data should take particular notice of this. However, the reduction ultimately applied to bring the fine down to £14 million does highlight that organisations which are prepared to admit liability and settle with the ICO can achieve significant discounts.
  3. The ICO's decision identifies a number of technical "quick fixes" like PAM, account tiering, penetration testing and rapid security alert identification and escalation, many of which will already be familiar to CISOs and CTOs.
  4. However, the failure to implement appropriate technical and organisational measures is ultimately a cyber governance problem. In light of the Capita decision, organisations should also consider the strength of their governance frameworks:
    • be aware of the industry standards to which the ICO might hold policies and practices;
    • ensure that policies are implemented in practice, assess this using robust and comprehensive penetration testing and promptly act on any vulnerabilities identified;
    • share the lessons from that penetration testing across your group by implementing appropriate measures for disseminating information about good practices and vulnerabilities. In the Capita decision, the ICO accepted that "an entire Capita-wide penetration test would not necessarily be feasible" but that the company should instead have derived learning from smaller scale tests and shared "remediation advice across the organisation"; and
    • intra-group outsourcing arrangements and service provision should ideally be provided on an arms-length basis and scrutinised as you would a third party. Be aware that both the group company providing services and the overseeing parent company can be found liable. In the case of Capita, the ICO found the parent, Capita plc, ultimately responsible for the group's cyber security despite the fact that a subsidiary service provider set policies and standards. It was relevant that the group CTO and CISO were also part of the service provider's leadership team, and the same policies and standards set by the service provider were applied across the group.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Andrew Moir
Andrew Moir
Photo of Peter Dalton
Peter Dalton
Photo of Miriam Everett
Miriam Everett
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More