UK’s Capita fined £14 million over 2023 cyber breach affecting 6.7 million people
Capita has been fined £14 million ($18.7 million) by the UK Information Commissioner’s Office (ICO) for failing to protect personal data during a 2023 cyberattack that compromised information belonging to 6.7 million individuals, the outsourcing firm said on Wednesday.
The company, which provides services to UK government departments and major corporations, said the fine was part of a settlement with the ICO. Capita had previously estimated that the breach could cost up to £20 million in financial damages.
The ICO report found that Capita failed to maintain adequate network protections, allowing unauthorized access and privilege escalation, and did not respond properly to early security alerts. The regulator said the case underscored the growing pressure on British companies to strengthen cyber defenses following major breaches at Marks & Spencer, Co-op, and Jaguar Land Rover.
“With so many cyber attacks in the headlines, our message is clear: every organization, no matter how large, must take proactive steps to keep people’s data secure,” said John Edwards, the UK’s Information Commissioner.
Capita said it has since introduced advanced cybersecurity measures and completed an internal overhaul of its digital infrastructure. “Following an extended period of dialogue with the ICO, we are pleased to have concluded this matter,” said CEO Adolfo Hernandez.
The firm expects a free cash outflow of £59 million–£79 million in 2025, up from previous guidance of £45 million–£65 million, but noted that all other financial targets remain unchanged.
According to the National Cyber Security Centre (NCSC), the number of “highly significant” cyber incidents in Britain has doubled year-on-year, reflecting growing systemic risks across the public and private sectors.