Capita, one of the UK’s leading outsourcing and business support firms, has been fined £14 million ($18.7 million) for failing to adequately protect personal data during a 2023 cyber attack.
The fine follows a settlement with the UK Information Commissioner’s Office (ICO), which found serious lapses in the company’s cybersecurity practices.
The breach, which Capita disclosed in 2023, compromised personal information belonging to 6.7 million individuals. The company had initially estimated the financial impact of the cyber incident at up to £20 million.
ICO Findings Highlight Cybersecurity Failures
According to the ICO’s report, Capita failed to implement sufficient safeguards to prevent unauthorized access and did not respond promptly to security alerts. The regulator said the company’s network lacked effective controls to prevent privilege escalation and lateral movement, allowing attackers to gain deeper access to sensitive systems.
John Edwards, the UK Information Commissioner, said: “With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.”
Capita Strengthens Cyber Defenses After Breach
In response to the findings, Capita said it has significantly strengthened its cybersecurity framework and implemented advanced protection measures to mitigate future risks. CEO Adolfo Hernandez said the company was pleased to have concluded the matter after a prolonged engagement with the ICO.
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter,” Adolfo Hernandez said.
Despite the settlement, Capita expects to record a free cash outflow of £59 million–£79 million in 2025, up from earlier estimates of £45 million–£65 million. The company maintained that all other annual and mid-term financial targets remain unchanged.
The fine adds to a growing list of cybersecurity enforcement actions in the UK, following recent data breaches involving Marks & Spencer, Co-op, and Jaguar Land Rover. The National Cyber Security Centre (NCSC) recently reported that “highly significant” cyber incidents have doubled year-on-year in Britain, underscoring the escalating threat landscape for both public and private sectors.
Key Takeaway
Capita’s £14 million penalty serves as a stark reminder for UK companies to prioritize data protection and cyber resilience amid rising regulatory scrutiny. As attacks grow more sophisticated, robust network monitoring, rapid incident response, and continuous security upgrades are no longer optional—they’re essential to maintaining trust and compliance.
Rajani Baburajan
