On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over ~6.6 million individuals following a ransomware attack by Black Basta. The ICO’s penalty notice is available here. See also the ICO’s recent actions against Advanced Computer Software Group, DPP Law and 23andMe for similar failings.
What happened?
On March 22, 2023, a malicious JavaScript file was inadvertently downloaded onto a Capita employee’s device. There was no evidence of phishing and whilst not confirmed, it is believed that this was a drive-by download attack i.e., where a victim unintentionally and without knowledge installs malware onto a device. Within four hours of the download, the threat actor had gained access to a domain administrator account within the Capita environment and had successfully escalated privileges. Whilst in Capita’s systems, the threat actor exfiltrated ~1 TB of data, deployed ransomware and commenced a global password reset.
Within 10 minutes of the download of the malicious JavaScript file, a high-priority alert was triggered by Capita’s security tooling. However, Capita’s Security Operations Centre (SOC) only responded to the high-priority alert 58 hours after initial access by the threat actor.
What personal data was impacted?
Personal data was exfiltrated from four Capita entities (Capita plc, Capita Resourcing Limited, Capita Business Services Limited and CPSL). It is believed that ~6.6 million people were affected by the incident. This includes Capita’s own customers as well as customers of Capita’s private and public sector clients. Personal data affected included higher risk data elements such as financial information, national ID numbers, scans of ID documents, biometrics, children’s data and special category data (health information, medical numbers, racial/ethnic origin, political beliefs, religious/philosophical beliefs, trade union membership, sexual orientation, criminal record checks).
Failings identified by the ICO
Given Capita’s size, the resources available to it, and the volume of personal data it processed, the ICO found that Capita failed to implement proper technical and organizational safeguards, as required by the UK GDPR.
Capita failed to prevent unauthorized lateral movement and privilege escalation within its network.
Privilege access management: the domain administrator account was a service account that had access to at least 8 domains. Based on current industry standards, the ICO commented that the level of privilege on service accounts should have been controlled and devices accessible by the service account, limited. As such, Capita’s approach to privilege access management was found to be insufficient.
Penetration testing: Capita carried out 139 penetration tests between March 2022 and March 2023 across its wider network. However, these tests were not carried out on the parts of the Capita environment affected by the incident. The ICO deemed this to be a breach of the UK GDPR as Capita did not consider the nature of personal data being processed on the affected systems when choosing whether to implement penetration testing.
- Additionally, August 2022 penetration tests flagged that domain admin accounts should be managed using the principle of least privilege. However, this recommendation was not shared with other entities in the Capita group for implementation across the wider network. The ICO found that Capita was, or reasonably ought to have been, aware of the issues raised regarding privilege access management. The ICO also found that Capita failed to disseminate this information across the corporate group.
Capita failed to respond to security alerts.
Capita has an internal target that 95% of high-priority alerts will be responded to within one hour. However, in the six months before the incident, Capita did not responded to a high-priority alert within the one-hour timeline. Additionally, Capita was only staffing one SOC analyst per shift, which the ICO deemed to be insufficient. The ICO considered that for an organization of Capita’s size, three SOC analysts per shift would be adequate resource.
Key takeaways
The ICO’s enforcement action shows it considers a well-run and well-funded SOC essential. Without it, an organization cannot claim to have in place proper safeguards for personal data. IT and legal teams may use this finding to push for better funding and oversight from boards and executives.
Large organizations, especially multinationals, should keep their data mapping complete and current. This helps when planning penetration tests. The ICO understands that full-scale tests may not be practical for big corporate groups. However, lessons from smaller tests should be shared across the group.
The ICO continues to refer to industry standards when deciding if there has been a breach of the UK GDPR.[1] These help assess whether organizations have strong technical and organizational measures to mitigate risks posed by a cyber security attack, whist also defend the organization’s position to the ICO, should that ever become necessary.
[1] The ICO referred to NCSC Guidance including NCSC’s Cyber Assessment Framework, guidance from Microsoft, CIS Critical Security Controls, ISO 27001, ISO/IEC 27035, IS 800-61 Rev 2, NIST 800-83 Rev 1 and Cybersecurity & Infrastructure Security Agency advisories.
