Overview
- Capita plc was fined £8m and Capita Pension Solutions £6m, with 325 pension schemes among those affected.
- The ICO cited systemic failings, including no tiered admin access, an understaffed security operations centre and inadequate penetration testing.
- The attack began on 22 March 2023 when malware was downloaded; despite a high-priority alert, the device was quarantined only after 58 hours.
- Ransomware was deployed on 31 March after about one terabyte of data was exfiltrated, and the incident was later linked to the Black Basta group in reporting.
- Capita accepted liability and says it has strengthened cybersecurity, while thousands pursue legal claims and the firm now guides 2025 free cash outflow at £59m–£79m.