Capita ransomware attack
A Black Basta ransomware intrusion into UK outsourcing giant Capita exposed pension and personal data on roughly 6.6 million people, drew a £14 million ICO fine, and cost the company over £25 million.
- Victim
- Capita
- Loss
- $32.0M
- records
- 6.6M
- users
- 6.6M
On 31 March 2023, the UK outsourcing and business-process giant Capita confirmed a cyber incident that turned out to be a Black Basta ransomware intrusion — one of the most consequential breaches in recent British corporate history given Capita's vast portfolio of government and pension-administration contracts.
What happened
Black Basta operators gained access to Capita's network on 22 March 2023. Capita's monitoring tooling raised a high-priority alert within 10 minutes, and some automated containment was triggered. But the company failed to quarantine the compromised device for 58 hours, during which the attackers moved laterally, escalated privileges, and exfiltrated data before deploying ransomware. Capita pulled portions of its infrastructure offline to contain the spread.
Impact
- Personal data of approximately 6.6 million people was compromised, including pension records, staff details, and customer data belonging to Capita's clients.
- Capita Pension Solutions, which processes data for over 600 pension schemes, reported that 325 client organisations were affected. Stolen data types included names, addresses, National Insurance numbers, bank details, passport and driving-licence scans, and criminal-record-check information.
- Capita reported direct response costs of about £25.3 million and said the attack contributed to a £106.6 million annual loss for 2023.
Regulatory action
On 15 October 2025, the Information Commissioner's Office (ICO) fined Capita £14 million — split between Capita plc (£8 million) and Capita Pension Solutions (£6 million) — for failing to ensure the security of personal data. The ICO had initially proposed a £45 million penalty, reducing it after Capita demonstrated post-incident security improvements, provided 12 months of credit monitoring to affected individuals, and cooperated with the investigation. The regulator highlighted the 58-hour delay in isolating the compromised device as a central failing.
Why it matters
Capita is woven into the fabric of UK public services — running pension schemes, local-authority back-office systems, and central-government contracts. The breach showed how a single outsourcer can become a systemic data-protection risk affecting millions of citizens who never chose to share data with it. The ICO's reasoning made detection-to-containment speed, not just prevention, an explicit regulatory expectation, with Capita's 58-hour window held up as the cautionary benchmark.
Financial impact
Reported costs in USD
- Fines & settlements$18.0M
Timeline
Black Basta attackers gain access to Capita's network; a high-priority security alert fires within 10 minutes but the compromised device is not isolated.
Capita publicly confirms a 'cyber incident' after the device is finally quarantined some 58 hours after the initial alert.
Black Basta lists Capita on its dark-web leak site and begins publishing stolen data; Capita admits data was exfiltrated.
Capita confirms personal data was likely compromised and begins notifying pension schemes and corporate clients.
Capita reports the attack contributed to a £106.6 million annual loss, with direct response costs of about £25.3 million.
The ICO fines Capita £14 million for failing to secure personal data of roughly 6.6 million people.
Sources
- ico.org.ukhttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/
- computerweekly.comhttps://www.computerweekly.com/news/366632591/ICO-fines-Capita-14m-after-ransomware-caused-major-data-breach
- theregister.comhttps://www.theregister.com/2024/03/06/capita_says_2023_cyberattack_recovery/
- computerweekly.comhttps://www.computerweekly.com/news/366537238/Black-Basta-ransomware-attack-to-cost-Capita-over-15m