= 2023 Capita data breach =

Infobox
- Date: 2023-03-22
- Location: United Kingdom
- Target: Capita plc IT systems and client data

The 2023 Capita data breach was a ransomware and data exfiltration incident affecting the British business process outsourcing and professional services provider and millions of people whose data it processed. In late March 2023 hackers gained access to Capita's systems, stole large volumes of client and staff information and then deployed ransomware, disrupting internal IT services and causing prolonged outages across parts of the business.

Major clients, including the Universities Superannuation Scheme, later confirmed that personal data about hundreds of thousands of pension scheme members may have been compromised. By the end of May 2023, at least 90 organisations had notified the Information Commissioner's Office (ICO) of personal data breaches linked to the incident, and Capita estimated that the attack would cost up to £25 million in recovery and remediation expenses.

An investigation by the ICO concluded that personal data relating to around 6.6 million individuals, including special category data such as health and criminal record information, had been exfiltrated, prompting hundreds of complaints and a High Court multi-party claim on behalf of more than 5,000 people. In October 2025 the ICO fined Capita plc and Capita Pension Solutions Limited a combined £14 million for failures to implement appropriate security measures under the UK GDPR.

== Background and security risks ==
The Capita Group is a business process outsourcing and professional services group. At the time of the incident, it employed tens of thousands of staff and acted as both data controller and data processor for hundreds of organisations that relied on its central IT infrastructure and security policies.

Capita plc was responsible for group-wide data protection and information security policies and for operating the core systems on which many subsidiaries stored personal data, including pensions and other client records. The ICO found there was no evidence of internal audits of the security of the affected business units, despite group policies requiring such controls.

A privileged service account used by Capita, 'CAPITA\backupadmin', had domain administrator rights and lacked restrictions and monitoring that would normally apply under a least-privilege model. Three penetration tests carried out between August 2022 and early 2023 had already identified this configuration as a vulnerability, but no corrective action was taken before the breach.

== Timeline ==
; 22 March 2023
 07:52 - An attacker gains access to an employee device using a malicious JavaScript script (jdmb.js) and then downloads the malware Qakbot and Cobalt Strike to the device.
 08:00 - An automatic alert was sent to Capita's security operations centre.
 12:21 - The attacker logs in to the account 'CAPITA\backupadmin' which has administrator access
; 23 March 2023
 13:06 - Capita's security platform identifies that QakBot was recovering/decrypting credentials from the compromised device.
; 24 March 2023
 18:07 - Capita's security operations centre processes the automatic alert and quarantines the compromised device.
; 24–28 March 2023
 The attacker, using the compromised account 'CAPITA\backupadmin', uses tools like Cobalt Strike and BloodHound to move around the system.
; 28 March 2023
 Capita notices suspicious activity on three devices and takes all offline for containment.
; 29 March 2023
 09:22 - Capita invokes its internal "Major Incident Management" process.
 17:26 - The attacker begins downloading files using a malware tool called SystemBC. Initially, 827.25 MB of data was downloaded; this eventually reaches 1.76 GB on this channel.
; 30 March 2023
 The attacker uses Rclone to download around 973 GB of data from multiple Capita systems.
; 31 March 2023
 The attacker deploys ransomware to over 1,000 hosts and resets the passwords of all 59,359 accounts on the system. At 18:30 Capita reported the incident to the ICO.

3 April 2023
 Capita releases a statement saying, "On Friday 31st March, Capita plc experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications".

== Impact and cost ==
The breach had significant operational, financial, and reputational consequences for Capita and its clients. Systems across multiple business units were disrupted for several weeks, and 59,000 accounts had password resets. Personal data relating to approximately 6.66 million individuals had been exfiltrated, including special category data such as health and criminal record information. Capita's annual results for the 23-24 year attributed a cost of over £25 million to the incident, excluding the £14 million fine.

==Regulatory action==
The incident led to widespread public concern, with 93 formal complaints to the ICO, 678 complaints received directly by Capita, and a High Court multi-party claim brought by Barings Law on behalf of more than 8,000 individuals.

Applying its five-step fining methodology, the ICO treated the relevant statutory maxima as 4% of Capita plc’s worldwide annual turnover for the gravest infringement (Article 5) and 2% for CPSL’s Article 32 infringement, and set starting points of £38,745,600 (Capita plc) and £31,480,800 (CPSL) after seriousness adjustments of 40% and 65% respectively.

Both penalties were reduced by 20% for mitigating factors (including steps taken to mitigate harm to data subjects and engagement with regulators), and applied a further 5% uplift to Capita plc for an aggravating factor reflecting its higher degree of responsibility for the group-wide technical and organisational measures. The ICO then reduced each figure by 65% at the proportionality stage—citing the linked nature of the infringements, the risk of “double punishment”, Capita’s financial position, and its admission of liability—arriving at a combined total of £20,300,000 (£11,500,000 for Capita plc and £8,800,000 for CPSL).

The companies entered into a voluntary settlement on 10 October 2025, admitting the infringements and agreeing not to appeal; the ICO said it reduced the penalties further to reflect time and cost savings and earlier regulatory certainty, imposing a final combined penalty of £14,000,000 (£8,000,000 for Capita plc and £6,000,000 for CPSL) for infringements of Articles 5(1)(f) and 32 of the UK GDPR.

In October 2025, Capita plc and Capita Pension Solutions Limited were fined a combined £14 million for infringements of Articles 5(1)(f) and 32 of the UK GDPR.

John Edwards, the UK Information Commissioner, was quoted as saying: "Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place."Adolfo Hernandez, CEO at Capita, responded to the fine: "[...] Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today's settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people, and wider society."

In February 2026, the High Court allowed a group action brought by Barings Law on behalf of more than 8,000 claimants affected by the breach to proceed, after the Judge rejected Capita's application to strike out the claims as an alleged abuse of process.
