The Information Commissioner’s Office (ICO) has fined Capita Pensions Ltd £14 million for data protection failings following a serious cyber security breach in 2023. The breach resulted in 6.6 million people having their personal information being stolen. This case has surfaced at a time where regulators and governments are calling for firms to take greater cyber resilience measures to combat the rise in cyber security threats, which are becoming increasingly more sophisticated and common as technology advances.
Revenue secured, data unassured
Capita Pensions Solutions processes the personal information of 600 organizations and generated a substantial £2.4 billion in revenue in 2024. Of those 600 organizations, 325 (over half) were affected by the data breach, which resulted in a large pool of data being left unsecured.
The March 2023 attack on the outsourcing specialist exposed details of pension records, criminal convictions, and other financial data, as well as sensitive information such as home addresses and passport images. Rather than responding to a high-priority alert in what should have been an hour, Capita took 58 hours to respond. This was identified as being due to Capita’s security operations center being understaffed, and the delay meant a malicious file was not quarantined and the attacker was able to exploit existing systems before sharing the seized data on “the dark web.”
Interestingly, what was initially meant to be a £45 million fine was reduced to £14 million as a result of Capita admitting liability, implementing cybersecurity improvements following the attack, supporting individuals that were impacted, and engaging with regulators through the investigation. This is the latest example of regulators offering clemency to organizations that take clear, proactive steps to remediate issues and work cooperatively with investigations.
While Capita has focused on improving its cybersecurity systems and investing in better leadership and defence, firms must take this case, as a warning sign. Firms need to continually work to ensure their operations are bulletproof against possible cyber-attacks. Commenting on the case, U.K. Information Commissioner, John Edwards, stated:
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber-attacks in the headlines, our message is clear: every organization, no matter how large, must take proactive steps to keep people’s data secure. Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
This isn’t just a cybersecurity breach …
Headlines in early 2025 were dominated by stories about major U.K. food retailers – although not ones about infamous legal tussles surrounding caterpillar cakes. Co-op and Marks & Spencer were hit by cyber-attacks which resulted in the theft of millions of customer’s data, weeks of service disruption, millions in lost revenue, and shaken consumer confidence.
The UK’s National Cyber Security Center (NSCC) has noted that cyber security is high on their agenda to tackle, having dealt with a record number of 204 “nationally significant” cyber-attacks this year alone. The U. K. government is urging businesses to take precautions and the necessary steps to protect themselves from cyber-attacks. In fact, the government is strongly recommending that firms should have physical copies of their cyber-attack response plans in order to prevent empty shelves and halted production lines.
The NSCC’s annual review encourages firms to undertake “resilience engineering’ to build systems that can anticipate, absorb, recover, and adapt in event of an attack.
A simple to do list for firms
Given the escalation of severity and frequency of attacks, regulators are begging to issue checklists to help firms identify gaps, prioritize improvements and create structured response programs that meet regulatory standards.
Financial Industry Regulatory Authority’s cybersecurity roadmap involves carving out a plan to help firms keep track of data, control systems access and data encryption, and develop a contingency plan. Structured as a step-by-step guide, the checklist also includes examples of frequent errors or misconceptions firms may make in developing cybersecurity posture – including having incomplete visibility of their data and treating their cybersecurity requirements as “optional.”
To meet t mounting regulatory expectations and ensure data remains secure and protected, firms must prioritize identifying solutions that not only secure data but provides comprehensive, efficient digital oversight. By choosing partners that allow for real-time monitoring and advanced threat protection, organizations can quickly pinpoint vulnerabilities in their systems and prevent disruption.
Choosing a solution that allows for the encryption of sensitive information, and clear audit trails supports businesses in protecting sensitive customer data Cyber threats are fast evolving, and traditional solutions can no longer keep up. The fine against Capita and high-profile cybersecurity incidents at organizations worldwide stand as proof that the risks are rising. Unsecured data is a target that is too good for bad actors to pass up, and firms not taking cyber risks seriously may find themselves subject to not just regulatory outcomes, severe service disruption, and loss of both revenue and the trust of their customers.
Global Relay’s solution delivers all of this in one secure, compliant platform. Click here and get the infrastructure your firms need to stay protected.
