Capita fined £14M after 2023 ransomware breach exposed data of 6.6 million people — not 66 million

NEWS

Introduction: what happened and why it matters

The UK Information Commissioner’s Office (ICO) has fined outsourcing giant Capita a combined £14 million for “failing to ensure the security of personal data” during a March 2023 cyberattack later claimed by the Black Basta ransomware group. The breach exposed sensitive information on approximately 6.6 million individuals across hundreds of client organisations—primarily pension schemes—making it one of the UK’s most consequential data incidents of recent years.

Note: Early headlines mistakenly cited “66 million” affected; the ICO and multiple major outlets confirm 6.6 million.

In brief

  • Regulator & penalty: ICO issues £14M fine: £8M for Capita plc and £6M for Capita Pension Solutions Ltd. An initial draft penalty near £45M was reduced after remediation and cooperation.
  • Scale: Data on ~6.6M people and ~325 organisations impacted (out of ~600 schemes serviced by Capita’s pensions arm).
  • Entry & dwell: Attack began 22 March 2023 when a malicious file was downloaded. Although detected within ~10 minutes, the infected device wasn’t isolated for 58 hours, enabling lateral movement, data theft (~nearly 1TB), and ransomware deployment.
  • Data types: Pension and staff records, financial details, and special-category data; some information later appeared on criminal leak sites.
  • Attribution: Black Basta listed Capita on its leak site and claimed the attack.

Context: why Capita was a high-value target

Capita provides business process services to UK public and private sectors, including administration for hundreds of pension schemes. The company publicly acknowledged that the 2023 incident contributed to significant financial impacts in 2023–2024 and reputational damage—consistent with the pattern seen in Black Basta campaigns against large enterprises.

Black Basta has become one of the most aggressive big-game ransomware groups since 2022, frequently using double-extortion and publishing stolen data to pressure victims.

Technical analysis: what went wrong

According to the ICO and detailed reporting:

  • Initial foothold: A Capita employee downloaded a malicious file on 22 March 2023. Telemetry flagged the event quickly, but containment lagged.
  • Delayed isolation: Despite detection within ~10 minutes, the device was not isolated for 58 hours, allowing lateral movement and extensive data exfiltration (nearly 1TB) before ransomware was detonated.
  • Control weaknesses cited by ICO: poor access controls, delayed alert response, understaffing, and inadequate testing/patching in parts of the environment.
  • Threat actor behaviour: Black Basta is known to steal data before encryption and to publicly list victims; Capita was listed and data samples were posted, then later removed—often a sign of negotiations or settlement, though Capita has not confirmed any payment.

Practical consequences and risks

  • For individuals: Exposure of identifiers, pension data, and in some cases financial or criminal-records information raises risks of identity fraud, targeted phishing, and social engineering (e.g., pension-transfer scams).
  • For organisations: Third-party (supplier) risk materialised at scale: ~325 client schemes were affected via a single provider. Expect long-tail legal claims, regulatory scrutiny, and increased vendor-risk assessment requirements.
  • For the industry: The case reinforces the ICO’s stance that slow containment and weak basic controls can translate into eight-figure penalties under UK GDPR, even when firms subsequently cooperate.

What defenders should do now (operational recommendations)

  1. Tighten EDR response SLAs: Treat high-fidelity alerts as page-all-hands events. Set automated network isolation playbooks to minutes, not hours.
  2. Block macro/malicious file vectors: Enforce application control, mark-of-the-web policies, and cloud sandboxing for internet-sourced files.
  3. Hardening & identity hygiene: Least privilege, PAM for admin accounts, and conditional access. Black Basta frequently pivots via credentials; remove standing privileges and rotate secrets.
  4. Data minimisation & segmentation: Reduce sensitive data footprints and segregate pension/HR datasets; enforce egress monitoring and DLP on crown-jewel stores.
  5. Tabletop full kill-chain scenarios: Practice rapid isolate → investigate → eradicate → communicate drills with executives and third-party stakeholders.
  6. Third-party risk: Require suppliers to meet concrete controls (MFA everywhere, EDR with auto-containment, 24/7 SOC) and evidence them via audits.

How this compares to other UK GDPR cases

While not the largest UK GDPR fine (e.g., British Airways received £20M in 2020), £14M places Capita among the more significant UK enforcement actions—particularly notable given the strong third-party impact on pensions administration.

Summary: key takeaways

  • Fact check the number: the affected population is ~6.6M, not 66M.
  • Speed matters: A 58-hour containment delay converted a single device compromise into a systemic breach and ransomware incident.
  • Supply chain blast radius: Centralised outsourcers amplify risk; insist on measurable controls and rapid-response capabilities.
  • Regulatory posture: Cooperation helps, but foundational security gaps still drew an eight-figure penalty.

Sources / bibliography

  • ICO statement: “Capita fined £14m for data breach affecting over 6m people,” 15 Oct 2025. (Information Commissioner’s Office)
  • Financial Times: coverage confirming 6.6M individuals, 58-hour delay, and data types. (Financial Times)
  • The Guardian: timeline (10-minute detection, 58-hour isolation), near-1TB exfiltration, and control weaknesses. (The Guardian)
  • BleepingComputer: incident timeline and technical specifics around initial malicious file and dwell time. (BleepingComputer)
  • Computer Weekly: Black Basta claim and broader impact on affected individuals. (Computer Weekly)

Related Posts