In a stark reminder of how vulnerable large scale outsourcing firms can be to cyber threats, Capita now faces a major legal claim on behalf of up to 6.6 million people affected by a 2023 cyberattack the same breach that recently earned the firm a multi-million pound fine from the national data regulator.
The 2023 Breach: What Went Wrong
In March 2023, Capita, which provides business process services including pension administration, staff record handling and other services for both private and public sector clients, suffered a substantial cyberattack. Within just ten minutes of a malicious file being downloaded onto an employee’s device, a high-priority security alert was triggered. But crucially, Capita failed to act swiftly, the infected device was not quarantined until 58 hours later. During this delay, the threat actor was able to escalate privileges, move laterally across Capita’s network and access sensitive databases. Between 29 and 30 March, almost one terabyte of data was exfiltrated. The following day, ransomware was deployed user passwords were reset, locking out staff and plunging Capita’s systems into chaos.
The stolen data affected approximately 6.6 million individuals, including pension scheme members, staff and clients’ customers. For many, the breach exposed sensitive or “special category” data: financial records, criminal-record information, sometimes even data related to health, religion or orientation.
Regulatory Fallout: The £14 Million Fine
In October 2025, the Information Commissioner’s Office (ICO), the UK’s data protection watchdog, fined Capita a total of £14 million £8 million to Capita plc, and £6 million to its subsidiary Capita Pension Solutions Limited (CPSL).
The ICO originally intended to impose a much larger penalty, around £45 million, but the final amount was reduced in recognition of remedial measures taken by Capita after the breach, their cooperation with regulators, and engagement with the national cyber security agency.
Yet for many, the fine alone feels insufficient. As the ICO’s statement made clear: Capita “failed in its duty” to protect the personal data entrusted to it
Legal Action: Claim on Behalf of Millions
Now, almost two years after the breach, Capita is facing further pressure in the form of a major legal claim. According to a December 2025 report, a lawsuit has been filed in London on behalf of as many as 6.6 million people aiming to secure compensation for the “distress and financial loss” caused by what is described as a breach of duty.
Some of the claimants are already identified: back in March 2024, law firm Barings Law filed a claim on behalf of 3,973 individuals under the UK GDPR and the former Data Protection Act 1998. These claimants are seeking compensation for both the compromise of their personal data and the distress the breach caused.
Capita attempted to strike out parts of the claim in a court order filed in July 2025, but those efforts were scheduled for hearing in October.
What Went Wrong — According to ICO
The ICO’s investigation found multiple systemic failures at Capita:
- Capita lacked proper technical and organisational measures to secure data
- There was a failure to prevent unauthorised privilege escalation and lateral movement: some administrative accounts had broad privileges a vulnerability that had been flagged as high risk on multiple prior occasions but was never remediated
- The response to the initial security alert was woefully inadequate. Although an alert triggered within 10 minutes, the responsible device was left connected and active for 58 hours far beyond acceptable incident response timeframes
In the regulator’s words, “the scale of this breach and its impact could have been prevented” had sufficient safeguards been in place.
Capita’s Response and What It Says Now
Facing mounting regulatory and legal consequences, Capita acknowledged the breach and the ICO’s findings. In a public statement, the company said it regretted the incident and confirmed all identified individuals potentially impacted had been contacted.
Since the attack, Capita says it has “hugely strengthened” its cybersecurity posture. According to its new leadership, following a change in CEO, the firm has invested heavily in new digital protections, reorganised its security operations, and embedded a “culture of continuous vigilance.”
But the lingering questions remain: will that be enough to restore public trust? And will the upcoming legal proceedings force Capita and other firms like it to fundamentally rethink how they handle and protect personal data?
Broader Implications: Lessons for Outsourcers and Clients
The unfolding situation has significance far beyond Capita itself. For any organisation outsourcing critical services payroll, pension administration, HR, IT support, benefits processing the case sets a stark precedent: if you outsource sensitive data, you remain responsible for it.
Under the UK GDPR framework, firms must apply robust technical and organisational measures to prevent data loss, ensure rapid containment of incidents and protect against privilege escalation or lateral movement.
Failures can carry multi-million pound regulatory fines, not to mention public lawsuits and unstoppable reputational damage.
For clients of outsourcing firms, whether businesses or public sector bodies the Capita case should be a wake-up call: due diligence matters. Understand where your data goes, who handles it, how it is protected and demand accountability.
Finally, for individuals whose data may be held by such firms: stay vigilant. Even if regulators impose fines or firms promise better protection, a breach can have lasting consequences. If you suspect your records were involved in a breach, monitor financial statements, credit or identity monitoring alerts and consider whether legal recourse may be possible.
Conclusion
The decision by the ICO to fine Capita £14 million and the mounting legal action on behalf of millions of affected individuals marks one of the most significant data-protection fallout cases in recent UK history.
Capita’s failure to act swiftly and thoroughly in response to what began as a single malicious file has cascaded into a full blown crisis: data exfiltration, ransomware, corporate penalty and legal liability on a mass scale.
As the legal claims progress, and with public confidence shaken, the Capita case will almost certainly be studied closely by regulators, clients, and outsourcing providers alike.
For many organisations, it may prove the turning point a call to treat data protection not as a box ticking exercise, but as a core responsibility.
Let us all hope the lessons learned here help prevent similar disasters in the future.
Source: https:https://www.law360.co.uk/commercial-litigation-uk/articles/2416524?nl_pk=63025096-9514-4f87-aafa-0e0ba559e513&utm_source=newsletter&utm_medium=email&utm_campaign=commercial-litigation-uk&utm_content=2025-12-02&read_main=1&nlsidx=0&nlaidx=0
CONTACT US FOR Digital Risk Management
You can be absolutely sure of a confidential, trustworthy and discreet service at all times, Evidence IT delivers results.
Contact us