The United Kingdom fines Capita £14 million due to the cyber incident that occurred in 2023

On October 15, 2025, the Information Commissioner's Office (ICO), as the data protection regulator in the United Kingdom, fined outsourcing company Capita a total of £14 million for a data breach that occurred in March 2023.

The attack affected the data of 6.6 million people. This data contained personal records, pension records, and customer details from organizations associated with Capita. In some cases, financial data, criminal records, and special categories of data were also leaked.

The attack began on March 22, 2023, when an employee unintentionally downloaded a malicious file. Within 10 minutes, the company's security system triggered a high-priority security alert and took some automatic protective measures. However, Capita did not quarantine the device affected by this malicious file until 58 hours had passed, during which time the attacker was able to exploit the system.

The malicious file allowed malware to be installed on Capita's network, enabling the attacker to remain in the system, obtain administrator permissions, and access other areas of the network. Once access was gained, between March 29 and 30, nearly a terabyte of data was extracted. The following day, March 31, ransomware was installed on Capita's systems and all passwords were reset to prevent Capita staff from accessing the system.

The ICO's investigation revealed that Capita had failed to ensure the security of personal data processing. Specifically, the ICO details that privilege escalation and lateral movement were not prevented, security alerts were not responded to adequately, and penetration testing and risk assessment were not properly implemented.