Capita’s £14m ICO fine – lessons in cyber resilience for trustees
22 Oct 2025
6 min read
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-10-22-12-23-44-468-68f8ccd094603fa39915e27e.jpg)
On 15 October 2025, the Information Commissioner’s Office (the “ICO”) issued a £14m fine to Capita in relation to a cyber-attack which took place in 2023 during which hackers accessed the personal information of 6.6 million people.
The attack
The ICO's statement about the fine issued sets out a summary of the attack itself. In short, the attack on Capita began when a malicious file was unintentionally downloaded onto an employee device on 22 March 2023. Despite the device subsequently being quarantined (albeit 58 hours later), during the time before quarantine the attacker was able to deploy malware allowing continued access to Capita’s systems. Almost one terabyte of data was exfiltrated between 29 and 30 March 2023, following which ransomware was deployed onto Capita’s systems on 31 March 2023. During that time, the attacker managed to reset all user passwords, barring the staff at Capita from accessing their systems and networks.
According to reports, the attack was claimed by the Black Basta ransomware group. The group posted documents which it alleged were stolen from Capita’s systems and, subsequently, the information disappeared from the site; whilst nothing has been confirmed, this action by ransomware groups often indicates that a ransom payment has been made.
The attack saw the personal information of 6.6 million people stolen, ranging from pension records and staff records to the details of customers of organisations that Capita supports.
This was the first significant cyber attack to shake the pensions industry and it has shaped the actions of the Pensions Regulator (who has since produced updated cyber security guidance) and, as a result, of pension scheme trustees in this area. We have followed developments relating to this incident closely over the past two years and have written previous updates on what the incident means for pension schemes and the long-lasting repercussions of a cyber attack. In our view, this cyber incident contributed to 2024 being a year of reform for cyber security in the pensions context, with more updates expected on the horizon.
The fine
Now, over two years later, the ICO has issued a £14m fine against Capita for the incident - more specifically, Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m.
According to the ICO's statement, Capita were found to have failed (at the relevant time) to:
prevent privilege escalation and unauthorised lateral movement;
respond appropriately to security alerts; and
have an adequate penetration testing and risk assessment in place.
In that statement, the conclusion of the UK Information Commissioner, John Edwards, was clear: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place”.
Some good news for Capita is that the initial proposed fine was reduced significantly. Initially, the ICO intended to fine Capita a combined total of £45m, but following Capita’s representation and submission of mitigating factors, this sum was substantially reduced. Critical factors in reducing the fine included improvements made after the attack, support offered to affected individuals and engagements with other regulators and the National Cyber Security Centre.
The £14m fine represents a voluntary settlement between the ICO and Capita, with Capita admitting liability and agreeing to pay the settlement without appealing the decision.
Cost implications for Capita
Earlier in the year, we published a blog about the cost implications for Capita following this incident. At that time, Pensions Age reported that Capita had incurred cumulative net costs of £29.3 million in relation to the incident. These costs reported at that time will not have taken the ICO’s fine into account, placing Capita’s known cumulative costs in the region of £45m.
It has been reported that this is the biggest fine the ICO have issued in the context of a ransomware attack. Given the prevalence of ransomware attacks in all sectors – not only pensions – news of this fine and the ICO’s findings will make sobering reading for businesses and organisations grappling with how to build their own cyber resilience.
It has not been confirmed whether Capita did pay a ransom in this case. If a ransom was paid then that would be an additional unconfirmed amount on top of the known costs of this cyber incident (which are already hugely significant). It is worth noting that even if a ransom is paid, that fact will not mitigate against a regulatory fine (i.e. just because you have paid a hacker it does not mean that an ICO fine will be waived or reduced).
Key takeaways for trustees
Capita’s fine does not create any new obligations for affected schemes. Any scheme that was impacted by the Capita incident should have taken steps in accordance with the scheme’s incident response plan when Capita first notified the trustees of the incident.
However, in our view, some action points that may be helpful at this stage are:
We encourage trustees (whether affected by the incident or not) to cover this topic at their next trustee board meeting or trustee training day, as part of their legal update.
Given that Capita and the ICO have released statements about the fine, members in affected schemes may query what this means for them. Trustees may, therefore, wish to create a “standard” response that they can issue to their members (either proactively or reactively).
Schemes that were affected and who chose to extend the period of membership for Experian monitoring services that Capita initially offered may wish to consider whether to extend that period once again for affected members’ benefit at the relevant time.
More generally, this announcement invites trustees to take stock and review their scheme’s approach to cyber security. This feels appropriate given that, while the Pensions Regulator recognises cyber security is being prioritised by schemes, in its recent Market oversight report on administrator relationships published in September 2025, it warns that there “remain gaps in security certification, supplier checks, and incident planning”.
As part of this, we recommend that trustees are able to demonstrate their approach to data and asset mapping and that they undertake third party supplier reviews to understand their cyber footprint and risk profile (both from a due diligence and from a contractual perspective). Regarding the latter, we advise trustees to establish a rolling process for the review of third-party suppliers (particularly key suppliers such as the scheme administrator) in line with the Pensions Regulator’s guidance, which should be done in a proportionate way (taking into account the size of the scheme and its risk profile).
In the long term, trustees should consider what actions should be taken to build on their plan’s cyber resilience. Cyber security is an evolving and ongoing risk so schemes need to devise a plan to address such a risk and to become and remain resilient in line with industry best practice.
How can we help?
We would be very happy to help pension scheme trustees with the key takeaways set out above and with building their scheme’s cyber resilience. Details of our experience in advising pension schemes in relation to cyber security can be found on our dedicated webpage.
If you are interested in finding out more, please contact Richard Pettit, Samantha Howell, Amy Khodabandehloo or your usual Burges Salmon contact.
“Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”