When Capita suffered a ransomware attack in March 2023, exposing the personal data of 6.6 million people, the outsourcing giant tried every defence in the book. They argued they were victims of a sophisticated cyber attack. They pointed to their post-incident remediation work. They even suggested that fining large processors might discourage digital economy growth.
The Information Commissioner’s Office (ICO) wasn’t buying it. On 15 October 2025, the regulator handed down a £14 million penalty (initially calculated at £58 million before settlement). The message was unambiguous: being targeted by criminals does not excuse inadequate security measures.
The Myth of the ‘Sophisticated Attack’ Defence
Do not rely on demonstrating an attack was sophisticated to provide regulatory cover under Article 32 of the UK GDPR. Capita made this mistake and the ICO’s enforcement decision systematically dismantled this defence by focusing on what Capita failed to do before the attack occurred.
The breach started when an employee downloaded a malicious JavaScript file on 22 March 2023. Within 10 minutes, Capita’s security systems generated a high-priority (P2) alert. Then came the critical failure: the compromised device wasn’t quarantined for 58 hours. That delay gave the attacker time to escalate privileges, move laterally across multiple domains, and ultimately exfiltrate nearly one terabyte of data including special category information such as health records, criminal records and biometric data.
According to Capita’s own service level agreement, P2 alerts should be addressed within one hour. Instead, it took more than two days. The ICO found this failure breached Article 32(1)(b) and (d) of the UK GDPR, which requires organisations to implement measures for the ongoing confidentiality, integrity, availability and resilience of processing systems.
Post-Incident Remediation Doesn’t Absolve Prior Failures
Capita’s second main defence was that it had already taken steps to strengthen its security posture following the incident. The company invested in new cybersecurity leadership, implemented advanced protections, and offered 12 months of credit monitoring to affected individuals through Experian. Surely this demonstrated good faith?
The ICO rejected this argument outright. As Information Commissioner John Edwards stated, the organisation “failed in its duty to protect the data entrusted to it by millions of people.” The regulator noted that Capita still had outstanding remediation work, meaning the penalty was necessary to drive further improvement. More fundamentally, the ICO held that reactive security improvements after a breach cannot compensate for failures to implement appropriate measures beforehand.
This principle aligns with Article 5(1)(f) of the UK GDPR, which requires data controllers to process personal data in a manner that ensures appropriate security through technical or organisational measures. Capita had failed to implement a tiered administration model for privileged accounts, despite this being recommended in penetration tests conducted months before the attack. The regulator found that these vulnerabilities had been identified repeatedly but were neither remediated nor communicated effectively across the group.
Processors Face the Same Security Obligations as Controllers
The ICO fined two separate Capita entities: Capita plc (£8 million as data controller) and Capita Pension Solutions Limited (£6 million as data processor). This dual enforcement sends an important signal to the market. Processors handling large volumes of personal data on behalf of multiple controllers must independently satisfy their security obligations under Article 32, not simply rely on group-wide measures.
Capita argued that issuing separate fines to group companies amounted to double punishment and would discourage outsourcing providers from offering large-scale data processing services. The ICO dismissed both points. While the regulator did reduce the combined penalty to account for linked processing within a corporate group, it maintained that both entities owed distinct legal obligations and each had independently breached them.
For procurement teams and legal advisers assessing third-party processors, this enforcement decision underscores a critical point: the security obligations in your data processing agreements are not mere contractual boilerplate. Processors will be held to account by regulators, and their failures will expose your organisation to reputational harm even where you are not directly fined.
What This Means for Your Organisation
The Capita case provides a clear roadmap of regulatory expectations under UK GDPR for large organisations processing substantial volumes of personal data. First, implement privilege access management controls following recognised frameworks such as ISO 27001. This means least privilege by default, dedicated administrator accounts, and tiered administration systems that limit the potential impact of compromised credentials.
Second, your security operations centre must be resourced and configured to meet your own service level agreements. If you commit to responding to high-priority alerts within one hour, your operating model must deliver that consistently. Alert escalation should be automated where possible, particularly for known threat indicators such as QakBot or Cobalt Strike signatures.
Third, act on penetration test findings before an incident occurs. The ICO emphasised that Capita’s vulnerabilities had been flagged repeatedly in testing but were not remediated group-wide. Organisations cannot wait for a breach to prioritise known security gaps. Under Article 32(2) of the UK GDPR, controllers and processors must assess the effectiveness of security measures on an ongoing basis.
Finally, if you handle personal data as a processor, ensure your security governance is demonstrably independent from your parent company or controller clients. The ICO will assess your individual compliance, not simply whether group policies exist on paper.
As Commissioner Edwards put it: “Cyber criminals don’t wait, so businesses can’t afford to wait either.” Seven years into GDPR enforcement, sophisticated attack claims no longer provide regulatory shelter. The only defence that matters is having appropriate technical and organisational measures in place before the breach occurs.