UK ICO Imposes £15 Million in GDPR Fines on Capita and LastPass for Cybersecurity Failures
In late 2025, the UK Information Commissioner’s Office (ICO) levied a combined £15 million in GDPR fines against Capita plc and Capita Pension Solutions Limited (fined £14 million on 15 October 2025) and LastPass UK Limited (fined £1.2 million on 20 November 2025) for data breaches resulting from cyberattacks.
The ICO’s decisions highlight critical enforcement trends, including its strict expectations for proactive cybersecurity measures. In Capita’s case, the regulator determined that inadequate penetration testing, understaffed security operations, and weak administrator access controls created avoidable vulnerabilities exploited by attackers. Despite acknowledging the costs of robust security, the ICO rejected resource constraints as justification for lapses, particularly for organizations handling high-risk data.
The rulings also emphasize the NCSC’s cybersecurity guidance as a benchmark for "appropriate" GDPR compliance. Internal documents such as Capita’s penetration test reports were cited as evidence of security weaknesses, underscoring the legal risks of unprotected internal assessments. Companies are advised to consider privilege protections for sensitive security findings to limit exposure.
The ICO set a high bar for mitigating factors. LastPass’s cooperation, though deemed "good," was not considered exceptional, while Capita’s 14-hour GDPR notification (well ahead of the 72-hour deadline) failed to reduce its penalty. The regulator expects continuous, engaged responses rather than one-time compliance efforts.
Notably, LastPass’s fine was calculated based on its holding company’s global revenue, not just its own turnover, aligning with EU precedent. This approach could significantly impact private equity and investment firms, as fines may extend to broader corporate groups.
The cases signal the ICO’s uncompromising stance on data protection, with enforcement actions targeting both technical oversights and structural accountability.
Source: https://www.jdsupra.com/legalnews/recent-ico-data-breach-enforcement-7794437/
LastPass cybersecurity rating report: https://www.rankiteo.com/company/lastpass
"id": "LAS1770195780",
"linkid": "lastpass",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Business Process Outsourcing / Pension '
'Solutions',
'location': 'UK',
'name': 'Capita plc',
'type': 'Corporation'},
{'industry': 'Pension Solutions',
'location': 'UK',
'name': 'Capita Pension Solutions Limited',
'type': 'Subsidiary'},
{'industry': 'Password Management / Cybersecurity',
'location': 'UK',
'name': 'LastPass UK Limited',
'type': 'Subsidiary'}],
'data_breach': {'sensitivity_of_data': 'High-risk data'},
'date_publicly_disclosed': '2025-10-15',
'description': 'The UK Information Commissioner’s Office (ICO) levied a '
'combined £15 million in GDPR fines against Capita plc and '
'Capita Pension Solutions Limited (£14 million) and LastPass '
'UK Limited (£1.2 million) for data breaches resulting from '
'cyberattacks. The rulings highlight critical enforcement '
'trends, including strict expectations for proactive '
'cybersecurity measures, inadequate penetration testing, '
'understaffed security operations, and weak administrator '
'access controls.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'financial_loss': '£15 million (combined fines)',
'legal_liabilities': True},
'investigation_status': 'Completed',
'lessons_learned': 'The ICO expects proactive cybersecurity measures, '
'continuous compliance efforts, and strict adherence to '
'NCSC guidance. Resource constraints are not accepted as '
'justification for security lapses, and internal security '
'findings may be used as evidence in enforcement actions.',
'post_incident_analysis': {'root_causes': ['Inadequate penetration testing',
'Understaffed security operations',
'Weak administrator access '
'controls']},
'recommendations': ['Implement robust penetration testing and access controls',
'Ensure adequate staffing for security operations',
'Protect internal security assessments with privilege '
'protections',
'Adopt continuous, engaged responses to incidents rather '
'than one-time compliance',
'Prepare for fines based on global revenue for '
'multinational groups'],
'references': [{'source': 'UK Information Commissioner’s Office (ICO)'},
{'source': 'NCSC Cybersecurity Guidance'}],
'regulatory_compliance': {'fines_imposed': [{'amount': '£14 million',
'entity': 'Capita plc and Capita '
'Pension Solutions '
'Limited'},
{'amount': '£1.2 million',
'entity': 'LastPass UK Limited'}],
'regulations_violated': ['GDPR'],
'regulatory_notifications': ['14-hour GDPR '
'notification (Capita)',
'72-hour GDPR '
'notification deadline '
'met']},
'title': 'UK ICO Imposes £15 Million in GDPR Fines on Capita and LastPass for '
'Cybersecurity Failures',
'type': 'Data Breach',
'vulnerability_exploited': ['Inadequate penetration testing',
'Understaffed security operations',
'Weak administrator access controls']}