Capita has been handed a record ransomware fine of £14 million by the Information Commissioner’s Office (ICO) after a 2023 cyberattack exposed the personal data of 6.6 million people. The Capita ransomware fine marks the largest penalty ever issued by the ICO for a ransomware-related breach and highlights serious shortcomings in the company’s cybersecurity defences.
The ICO investigation revealed that Capita’s data breach in 2023 resulted from inadequate security measures that left the systems of the UK’s largest outsourcing firm open to attack. Hackers stole nearly one terabyte of information, including pension data, employee details, and sensitive financial records.
The regulator fined Capita plc £8 million and its pensions arm, Capita Pension Solutions Limited £6 million, bringing the total penalty to £14 million. Although this is less than the initial £45 million fine proposed by the ICO, it remains a landmark decision in the UK’s approach to ransomware and data protection enforcement.
How the Ransomware Attack Unfolded
The UK ransomware attack on Capita began in March 2023 when an employee accidentally downloaded a malicious file. Although a high-priority security alert was triggered within minutes, Capita failed to quarantine the infected device for more than two days.
This delay allowed attackers to move across Capita’s network, gain administrator access, and steal massive amounts of data between March 29 and 30, 2023. The next day, ransomware was deployed, locking Capita out of its own systems.
The ICO fine on Capita follows an extensive investigation that found several failures in its incident response. Despite repeated internal warnings about system vulnerabilities, the company failed to implement stronger administrative controls, allowing hackers to escalate privileges and access critical systems.
ICO’s Findings and Regulatory Response
According to the Information Commissioner’s Office, Capita lacked adequate technical and organisational safeguards to protect personal data. Key failings included:
- No proper tiering for administrative accounts, which enabled lateral movement by attackers.
- Delayed response to critical alerts — the compromised device was isolated 58 hours after detection.
- Infrequent penetration testing, with no regular reassessment of high-risk systems.
- Poor sharing of risk findings across departments, leaving vulnerabilities unaddressed.
John Edwards, the UK Information Commissioner, said the Capita cybersecurity failures represented a major breach of trust.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” he said.
Edwards warned that businesses cannot afford to be complacent. “With so many cyberattacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, and neither should businesses.”
Response and Settlement After the Capita Ransomware Fine
Following the Capita data breach 2023, the company offered affected individuals 12 months of free credit monitoring through Experian and set up a dedicated call centre. Over 260,000 people activated the monitoring service.
The ICO acknowledged that Capita cooperated fully during the investigation and made improvements to its cybersecurity posture after the attack. These actions contributed to reducing the total penalty from £45 million to £14 million.
Capita accepted responsibility for the breach and agreed not to appeal the decision, finalising the Capita ransomware fine in a voluntary settlement with the ICO.
Lessons for Businesses
The ICO fine on Capita serves as a strong reminder that even established firms are not immune to cyber threats. The regulator urged all organisations to follow the National Cyber Security Centre’s (NCSC) guidance, apply the principle of least privilege, and ensure timely response to alerts.
The Capita case reinforces that cybersecurity failures can lead not only to reputational damage but also to record-breaking financial penalties. With ransomware attacks continuing to rise, the message from regulators is clear — investing in security today can prevent severe consequences tomorrow.
