The Information Commissioner’s Office (ICO) has fined Capita and Capita Pension Solutions a combined £14m following a cyber attack in April 2023 when hackers were able to access over six million people’s data.
Capita must pay an £8m penalty while Capita Pension Solutions (CPSL) has been fined £6m for infringements of the UK General Data Protection Regulation (GDPR).
ICO originally proposed a penalty of £25m for Capita and £20m for CPSL, but after Capita argued this was disproportionate and legally flawed, the commissioner reduced the fines.
The infringements relate to the way the businesses processed personal data for the provision of business services, including pensions administration, human capital resourcing and document management solutions.
The data processing failed to adopt technical and organisational measures to protect against further unauthorised processing, which meant the Capita entities were vulnerable to the cyberattack which took place between 22 March and 31 March 2023.
On 10 October 2025, the Capita businesses entered into a voluntary settlement agreement with the ICO to resolve the investigation. They admitted to the infringements and agreed to pay the penalties.
