Capita plc – €16,380,000 Fine (United Kingdom, 2025)

The controller is Capita plc, a provider of business services, including pensions administration, human capital resourcing and document management. The controller used a processor, Capita Pension Solutions Limited. In April 2023, following a cyber attack, hackers gained access to the data of over 6 million data subjects, including special categories of personal data. On 31 March 2023, Capita reported the incident to the DPA (Information Commissioner's Office-ICO). Following the report, the DPA started investigations. First, the DPA found that the controller processed personal data for the provision of business services without ensuring appropriate security measures, including protection against unauthorised processing, in violation of Article 5(1)(f), Article 32(1) and Article 32(2) UK GDPR. More specifically, the controller failed to implement appropriate technical and organisational measures to prevent both privilege escalationA cyberattack technique where a threat actor alters or elevates their permissions in a target system, such as by moving from a lower-privilege basic user account to a higher-level administrator account. https://www.ibm.com/think/topics/privilege-escalation and unauthorised lateral movementA tactic that cybercriminals use to advance deeper into an organization’s network after gaining unauthorized access. During lateral movement, threat actors might deploy malware, compromise user accounts and evade security controls to seek out high-value targets such as sensitive data or intellectual property. https://www.ibm.com/think/topics/lateral-movement through the network, and to effectively respond to security alerts when detected. It also failed to ensure the security of processing of personal data, including special categories of personal data, which left the personal data at significant risk. Second, the DPA found that the processor violated Article 32(1) and Article 32(2) UK GDPR for the same reasons. Lastly, the DPA imposed a penalty of