UK-based outsourcing company **Capita** was fined **£14 million** (split as £8M for Capita Plc and £6M for Capita Pension Solutions Ltd) by the **Information Commissioner’s Office (ICO)** for a **2023 data breach** affecting **over 6 million individuals** across **325 pension schemes**. The ICO’s investigation revealed **inadequate cybersecurity measures**, leaving the company vulnerable to attacks that compromised **personal pension data** processed on behalf of more than **600 organizations**. The breach stemmed from **poor incident response protocols**, though Capita admitted liability and settled voluntarily, reducing an initial **£45 million provisional fine**. The exposed data included sensitive **pension-related personal information**, risking financial fraud and identity theft for affected individuals. The case underscores systemic failures in safeguarding third-party data, particularly in high-stakes sectors like **pensions and financial services**.
TPRM report: https://www.rankiteo.com/company/capita
"id": "cap5833058101525",
"linkid": "capita",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6,000,000+ individuals across '
'325 organizations',
'industry': 'Professional Services (Pensions)',
'location': 'United Kingdom',
'name': 'Capita Plc',
'type': 'Outsourcing Company'},
{'customers_affected': '6,000,000+ individuals across '
'325 organizations',
'industry': 'Professional Services (Pensions)',
'location': 'United Kingdom',
'name': 'Capita Pension Solutions Ltd',
'type': 'Subsidiary (Pension Services)'},
{'industry': 'Various (Pension Providers)',
'name': '325 Organizations (Pension Scheme Clients)',
'type': 'Client Organizations'}],
'data_breach': {'number_of_records_exposed': '6,000,000+',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'Personal information '
'(pension-related)'},
'date_publicly_disclosed': '2025-10-15',
'description': 'UK-based outsourcing company Capita was fined £14 million for '
'a data breach that affected over 6 million people. The breach '
'impacted 325 of the 600+ organizations for which Capita '
'processes pension-related personal information. The '
'Information Commissioner’s Office (ICO) found inadequate '
'cybersecurity measures in place to respond to attacks. Capita '
'admitted liability and settled voluntarily, reducing the '
'initial provisional fine from £45 million to £14 million (£8M '
'for Capita Plc and £6M for Capita Pension Solutions Ltd).',
'impact': {'brand_reputation_impact': 'High (regulatory penalty and public '
'disclosure)',
'data_compromised': 'Personal information (pension-related)',
'financial_loss': '£14,000,000 (fines)',
'identity_theft_risk': 'Potential (personal data exposed)',
'legal_liabilities': '£14,000,000 (ICO fines)'},
'initial_access_broker': {'high_value_targets': 'Pension-related personal '
'data'},
'investigation_status': 'Completed (ICO investigation concluded with fine)',
'post_incident_analysis': {'root_causes': 'Inadequate measures to respond to '
'cyberattacks (per ICO findings)'},
'references': [{'date_accessed': '2025-10-15',
'source': 'MLex (Official Statement Summary)'},
{'date_accessed': '2025-10-15',
'source': 'Information Commissioner’s Office (ICO) Penalty '
'Notice'}],
'regulatory_compliance': {'fines_imposed': '£14,000,000 (£8M for Capita Plc, '
'£6M for Capita Pension Solutions '
'Ltd)',
'legal_actions': 'Voluntary settlement (liability '
'admitted, appeal forfeited)',
'regulations_violated': ['UK Data Protection Act '
'(likely GDPR equivalent)'],
'regulatory_notifications': 'Information '
'Commissioner’s Office '
'(ICO) penalty notice'},
'response': {'communication_strategy': 'Official statement and regulatory '
'disclosure'},
'title': 'Capita Data Breach (2023)',
'type': 'Data Breach'}