Capita fined $18.8Mn over massive UK cyber data breach in 2023
LONDON, UNITED KINGDOM — The United Kingdom’s Information Commissioner’s Office (ICO) has fined outsourcing firm Capita £14 million (US$18.80 million) after a major data breach exposed the personal information of 6.6 million people.
According to a report by the BBC, regulators said the company “failed to ensure the security of processing of personal data,” leaving it “at significant risk” during a cyberattack in March 2023.
The fine, initially set at £45 million (US$60.44 million), was reduced after discussions with the company, which argued it had since strengthened its cybersecurity framework and engaged with regulators to assist affected parties.
A costly cyberattack with lasting consequences
The attack, later linked to the Black Basta ransomware group, triggered a three-day IT outage that disrupted access to Capita’s Microsoft Office 365 systems, limiting client services and raising concerns across the UK government, one of Capita’s largest clients with £6.5 billion (US$8.73 billion) in contracts.
“This caused disruption to some services provided to individual clients, though the majority of our client services remained in operation,” Capita said in a statement at the time.
In the months following the breach, Capita confirmed that employee data, including national insurance numbers, pension details, and home addresses, had been stolen by Russian hackers. The company faced criticism for its delayed disclosure, with staff accusing executives of downplaying the severity of the incident.
Former CEO Jon Lewis announced his resignation later that year, with Adolfo Hernandez, formerly of Amazon Web Services, taking over amid the company’s deepening cybersecurity and financial troubles. The fallout from the attack contributed to €126.5 million (US$138 million) in annual losses, alongside a 54% plunge in Capita’s share price and eroded investor confidence.
“We have not yet delivered the operational excellence that will let us create the right platform for future growth,” Hernandez admitted in a company statement, pledging further cost cuts and cybersecurity investments.
Regulatory scrutiny intensifies for outsourcing sector
The ICO criticized Capita for failing in its duty to protect the data entrusted to it by millions of people. Information Commissioner John Edwards said, “The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
Cybersecurity expert Trevor Dearing of Illumio added that the penalty “sends a message to the market that regulators are serious and tells victims that their stolen data does matter.”
The attack’s aftermath underscores a broader pattern: the UK’s National Cyber Security Center (NCSC) has warned of an increase in “nationally significant” cyber incidents this year, including breaches at Co-op, M&S, Harrods, and Jaguar Land Rover.
Capita cyber breach marks turning point in data security
The Capita incident highlights the fragility of cybersecurity within the outsourcing sector, where companies handle massive troves of public and private data. As global clients increasingly depend on third-party service providers, the pressure to prove resilience and transparency has never been greater.
For an industry built on trust, the Capita case serves as both a warning and a turning point. It signals that operational efficiency alone can no longer define outsourcing success; robust data governance and proactive cyber risk management are now core to client confidence and regulatory compliance.
As outsourcing firms continue to expand digital operations, Capita’s experience may prompt others to rethink security investments, recognizing that reputational damage and financial loss from cyber negligence can far outweigh the cost of prevention.
Capita previously ranked #28 in the OA500 2025, an objective index of the world’s top 500 outsourcing companies.
