Capita Cyber Security Breach – £14 Million Fine Issued

The Information Commissioner's Office ("ICO") has imposed a £14 million fine on Capita for infringements of the UK General Data Protection Regulation ("UK GDPR") relating to a cyber security incident suffered by Capita in 2023.

What happened?

In March 2023, Capita, a provider of professional services including pensions administration services, suffered a cyber security incident. An unauthorised person or persons ("threat actor") gained access to Capita's systems and removed data relating to over 6.6 million individuals, including data held by over 300 pension schemes. The threat actor subsequently deployed ransomware onto Capita's systems and reset all user passwords, preventing Capita staff from accessing their systems and network.

As of September 2025, the ICO had received 93 complaints relating to the incident. High Court proceedings have also been brought against Capita on behalf of 3,973 claimants, although no amount of damages has been specified to date (see here).

What infringements did the ICO identify?

Following its investigation into the incident, the ICO concluded that Capita had breached its obligations under Article 32 of the UK GDPR to process personal data in a manner that ensures the security of that data and to implement appropriate technical and organisational measures to respond effectively to the incident. In particular, Capita had:

• Failed to prevent a single point of access expanding. Some accounts had administrative levels of access and control, even where this was not necessary. This allowed the threat actor to escalate privileges (granting more access and control to the compromised accounts), move laterally across multiple domains to access other data or parts of the network and compromise critical systems. This had been flagged as a vulnerability on at least three separate occasions prior to the incident but had not been remedied.
• Failed to respond appropriately to security alerts. Although a high priority security alert was raised within ten minutes of the initial breach by the threat actor, Capita took 58 hours to respond appropriately, against Capita's target response time of one hour. Its Security Operations Centre was understaffed and, in the six months before the incident, fell well below the target response times for responding to security alerts.
• Conducted inadequate penetration testing and risk assessment. Systems processing millions of records, including some sensitive data, were only subject to a penetration test upon being originally implemented and were not subject to any subsequent or regular penetration testing. In addition, findings from penetration tests were siloed within business units and risks identified that affected the wider Capita network were not universally addressed.

How did the ICO calculate the fine?

Initially, the ICO proposed a fine of £45 million. However, having considered representations from Capita, the ICO and Capita agreed a voluntary settlement under which Capita will pay a fine of £14 million and waive its right to appeal that fine.

What practical steps can pension schemes take?

In light of the comments and statements from the ICO, trustees of pension schemes in the UK may wish to consider:

• Following the National Cyber Security Centre ("NCSC")'s guidance on preventing unintended (lateral) movement of data and files (which includes protecting credentials, deploying good authentication practices, protecting high profile accounts and locking down devices, amongst others) and ensuring that the "principle of least privilege'" is applied across the organisation i.e. that administrative level privileges and access are only granted where strictly necessary. The NCSC guidance was specifically referred to by the ICO.
• Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner.
• Implementing regular penetration testing and risk assessments and sharing the findings from penetration testing with scheme employers so risks can be universally addressed.
• Prioritising investment in key security controls to ensure that they are operating effectively.
• Checking agreements with data processors (such as IT service providers or administrators) are up to date and set out information security and data protection responsibilities between the parties.

In considering the above, trustees will need to discuss and assess what arrangements they currently have in place with their scheme administrators and take advice as appropriate. They may also wish to leverage the technical expertise and resources of the scheme's employer(s), including participating in trainings or demonstrations.

When determining the level of fine to impose, the ICO took into account a number of mitigating factors which served to reduce the fine, including:

• Improvements made by Capita to its cyber security controls after the incident.
• Support offered by Capita to affected individuals, including free credit monitoring for 12 months and appointment of a third party to monitor the dark web.
• Capita's engagement with other regulators, including it voluntarily informing the NCSC of the incident.
• Capita's admission of liability regarding the infringements – although the ICO noted that the reduction it applied to reflect this admission would have been higher had Capita made that admission before the ICO notified Capita of its intent to issue a fine of £45 million.

These give an indication of the types of action that trustees or administrators can take in the event of a cyber incident to mitigate impacts and demonstrate a robust incident response protocol to a regulator.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2025. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.