The Information Commissioner’s Office has settled with Capita and fined the firm £14m for failing to ensure the security of personal data related to a breach in March 2023, when hackers stole pensions and other data of 6.6m people. The fine had originally been set at £45m but was reduced after Capita made representations.  

Capita plc has been fined £8m and Capita Pension Solutions £6m. Capita Pension Solutions processes personal information on behalf of over 600 organisations that provide pension schemes, with 325 of these also impacted by the breach, the ICO said on Wednesday. The stolen data included sensitive information such as details of criminal records, financial data or special category data.  

“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place,” said information commissioner John Edwards. 

The ICO also found that Capita lacked the appropriate technical and organisational measures to effectively respond to the attack. 

“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities,” he said.  

Edwards argued that maintaining good cybersecurity is fundamental to economic growth and security.   

“With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either - taking action today could prevent the worst from happening tomorrow,” he said. 

The ICO initially informed Capita that it intended to fine it a combined total of £45m, but Capita then submitted representations and mitigating factors on the provisional decision, which “have been carefully considered”. The mitigating factors included “the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre”, resulting in the voluntary settlement and final penalty of £14m.  

Capita said it regrets the incident, which happened when an employee inadvertently downloaded malicious software, saying all those identified as potentially impacted were contacted after the attack. 
 
“As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies,” said chief executive Adolfo Hernandez. 

He said the firm has “hugely strengthened” its cybersecurity. 

Hernandez added: “Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reached today’s settlement.