The UK’s Information Commissioner’s Office (ICO) has fined outsourcing giant Capita £14 million after the personal data of 6.6 million people was compromised in a major cyber-attack.
The ICO said Capita “failed to ensure the security of processing personal data,” leaving sensitive information at “significant risk.” The breach, which occurred in March 2023, exposed personal and financial details, including home addresses, passport images, and in some cases, criminal record information. Some of the stolen data later surfaced on the dark web.
Initially, the ICO had proposed a fine of £45 million, but the penalty was reduced to £14 million following discussions with Capita. The regulator acknowledged the company’s cooperation, remedial actions, and engagement with other agencies, including the National Cyber Security Centre (NCSC).
Capita, one of the UK’s largest outsourcing and professional services firms, provides a wide range of public and private sector services, including pension administration. The breach had a wide impact, with 325 out of the 600 pension schemes managed by Capita affected.
Information Commissioner John Edwards condemned the company’s failings, stating: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
In response, Capita’s chief executive Adolfo Hernandez said the company was “pleased to have concluded this matter and reached today’s settlement.” He added that Capita had “hugely strengthened” its cyber-security systems and remained vigilant to future threats.
Capita reported revenues of £2.4 billion last year, but the data breach has sparked serious concerns over how major service providers handle sensitive public information.
The fine comes amid a growing wave of cyber-attacks targeting major UK organisations. Earlier this year, retailer Co-op confirmed that the personal details of around 6.5 million customers had been stolen in a similar hack. Other high-profile breaches have recently affected M&S, Harrods, and Jaguar Land Rover.
The NCSC confirmed on Tuesday that it has seen a rise in “nationally significant” cyber incidents in 2025. In a related advisory, the UK government urged business leaders to keep physical copies of their contingency plans in case cyber-attacks disrupt access to computer systems.
The ICO said the Capita case should serve as a warning to all organisations holding large amounts of personal data, emphasising that “data protection is not optional.”
