Earlier this week, the ICO announced that it has fined UK-based outsourcing company, Capita, £14 million under the UK GDPR following a data breach in March 2023 that affected more than 6 million people. There are a few interesting points about this case, both from a security controls and fine calculation/settlement point of view, which we summarize below. Key takeaways on the security side relate to controls to prevent lateral movement, and best practices relating to penetration tests, alert systems, and properly resourcing your organization’s security operations center (“SOC”).

What happened?

As the ICO explained in its press release, the cyber attack took place in March 2023. A hacker stole personal information of 6.6 million people from pension records and staff records. For some people, this included sensitive information such as details of criminal records, financial data or special category data.

Capita’s Security Failings

In its monetary penalty notice (“MPN”), the ICO identified several security failures, which it grouped into two overarching areas:

  1. Failure to prevent unauthorised lateral movement and privilege escalation within a network, including failure to remediate deficiencies identified in penetration tests

The ICO found that Capita had limited practical controls for privileged accounts; did not implement an Active Directory tiering model for administrative accounts; and did not utilise Privileged Access Management (“PAM”) controls such as least-privilege enforcement and just-in-time access. This enabled the threat actor to escalate privileges, move laterally across multiple domains, and compromise critical systems. The ICO found that Capita’s practices were not consistent with various guidance from the National Cyber Security Centre’s (“NCSC”), which recommends the use of a tiered administration system to reduce the potential impact a compromised privileged account.

Although Capita had detected these deficiencies in penetration tests on separate occasions prior to the breach, the MPN states that the company did not remedy these deficiencies. In addition, penetration test reports were held and acted on within individual business units, rather than managed or tracked centrally. This meant that vulnerabilities and remediation recommendations that affected the broader Capita environment were not applied widely across Capita and repeated warnings were left unaddressed.

  1. Failure to respond appropriately to security alerts

The ICO noted that while Capita’s system generated a high-priority malicious alert within ten minutes of the initial breach, Capita did not quarantine and contain the device until over 58 hours later, allowing the threat actor to continue activity during that period. In addition, the alert was not classified and escalated appropriately. The ICO also found that the company’s SOC was under-resourced and under-performing. For example, the MTN states that the SOC had routinely been missing its target for responding to the type of alert raised in this incident well before the breach, and Capita is understood to have had only one SOC analyst per shift in place at the time of the incident. The ICO concluded that the delayed and insufficient response was a causal factor enabling persistence, privilege escalation, lateral movement, and data exfiltration.

There is a lot of detail in this MTN but key points for other organizations to consider include the importance of:

  • following NCSC guidance, e.g., on preventing lateral movement and secure system administration;
  • regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner;
  • ensuring that findings from penetration tests are addressed across the whole organization;
  • prioritising investment in key security controls to ensure that they are operating effectively; and
  • checking agreements and responsibilities between data controllers and data processors.

Settlement and Penalty Reduction

Another interesting aspect of this case relates to the settlement and reduction in the fine. The ICO issued a Notice of Intent to impose penalties in April 2025. Capita submitted written representations in June 2025, and the parties entered a voluntary settlement on October 10, 2025, where the ICO’s initially proposed penalty of £45 million was substantially reduced to £14 million.

When calculating the penalty amount, the ICO applied its standard five step approach set out in its fining guidance: (1) an assessment of the seriousness of the infringement; (2) accounting for the undertaking’s turnover; (3) calculation of the starting point, having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking; (4) adjustment to take into account any aggravating or mitigating factors; and (5) an assessment of whether the fine is effective, proportionate and dissuasive.

Based on Steps 1-4, the ICO calculated that the appropriate fines for the two Capita entities involved —Capita plc and Capita Pension Solutions Ltd (“CPSL”) — would be approximately £32.9 million and £25.2 million respectively, leading to a combined total of just over £58 million. The ICO considered that these sums would be effective and provide a deterrent, but ultimately decided that it would not be proportionate to impose fines of this level on two similar organisations given the infringements were “intrinsically linked” . This contributed, in Step 5, to a 65% reduction in the fines for Capita plc and CPSL to £11.5 million and £8.8 million respectively, leading to a combined total of just over £20.3 million. The ICO stated that this significant reduction in the penalty was appropriate “considering the fact that penalties are being imposed on two entities within one undertaking, the organisation’s current and future financial position, and Capita’s admission of liability.

This figure was finally reduced to £14 million in light of Capita’s agreement to enter into a voluntary settlement in which it agreed to acknowledge the ICO’s decision, admit the infringements, and not appeal the decision.

* * *

The Covington team regularly advises clients on preventing and responding to data breaches in the UK and beyond. Please get in touch with a member of the team if you have any questions.

This post was drafted with the assistance of Sophia Bor, a trainee in the London office.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
Advising life sciences companies on industry-specific data privacy issues, including:

clinical trials and pharmacovigilance;
digital health products and services; and
engagement with healthcare professionals and marketing programs.

International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:

supervising technical investigations and providing updates to company boards and leaders;
advising on PR and related legal risks following an incident;
engaging with law enforcement and government agencies; and
advising on notification obligations and other legal risks, and representing clients before regulators around the world.

Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Stacy Young Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.

Read more about Stacy YoungEmail