Financedata breach5 min read

Capita Data Breach

Downtime Duration

2 weeks

Estimated Costs

£20 million

Records Exposed

6.6 million Customers

Operational Impact

  • System Administrator Credentials Compromised and IT System left unaccessable
  • 6.6 Million Customers' Data Stolen
  • £14 Million Fine issued by ICO

Summary

Captia's compromised admin credentials leads to the theft of 6.6 million customer records. And they

Full Analysis

Introduction 

Between March and April 2023, Capita PLC was stuck by several cyber-attacks, comprising one of the biggest data breaches seen so far.  The personal data of over 600 organisations that outsource their data processing to Capita and 6.6 million people were compromised. This led to the Information Commissioner’s Office (ICO) issuing a £14m fine for not securing the data properly. Capita’s data breach is a trend in cyber-attacks in recent years on large organisations, most prominently in 2025 with attacks on M&S, Co-op, and Jaguar Land Rover, where personal data was also stolen.       

Entry Vector (What Happened and How?) 

According to ICO (ico.org.uk, 2025A), the data breach was caused by an unsuspecting Capita employee opening a malicious email containing Qakbot and CobaltStrike malware (Ico.org.uk, 2025B). Even though the employee recognised the virus and raised the alarm, leading to automated action being taken 10 mins later, Capita failed to quarantine the infected device. This meant the hacker was able to exploit access for the next 58 hours (theguardian.com, 2025A).  

The hacker was able to use the employees’ stolen credentials (an admin service account within Capita’s system called ‘CAPITA\backupadmin’) to move about freely within many of Capita’s systems (ico.org.uk, 2025B). Several days later the hacker was able to use the still present malware to not only be able to steal 1 Terabyte of sensitive data but also to encrypt system data and access passwords, locking employees out. This kind of phishing attack is common for cyber-attacks on large businesses.    

Impact   

Financial and Legal 

Capita estimated that they would lose up to £20m as they pay for IT recovery, specialist fees and reinforcing its cybersecurity measures (theguardian.com, 2025B).  

Capita was fined £14 million for the data loss by the ICO, which they paid in full. It should be noted that Capita made £2.4 billion in revenue according to its latest annual report. (BBC.com, 2025C).  

As of February 2026, the high court ruled that a legal claim, that thousands of people affected by the breach had signed onto, can continue against Capita in what was described as ‘a landmark for large-scale data privacy claims in the UK.’ (Business Matters, 2026) 

Customer Data 

Capita manage 150 pension schemes of over 6.6 million people through its Capita Pension Solutions division. According to the Pension Watchdogs, personal data such as passports and home addresses were being circulated on the darknet, leaving customers viable to fraud (BBC.com, 2023B). Some pension schemes were forced to issue a free identity protection service to their members.  

Other stolen valuable data was staff records and the data of organisations that outsource to Capita, including USS Academics special category data like running the London congestion charging zone and overseeing training for the Royal Navy, financial data such as collecting the BBC licence fee and even criminal records (ico.org, 2025A) (BBC.com, 2023B). Up to 90 organisations contacted ICO following the data breaches and the revelations that Capita had left a file repository unsecured online (BBC.com, 2023D).    

Duration 

There were two separate hacks: the phishing attack that gave the hacker access to Capita’s files, and a later one where the hacker stole sensitive data and encrypted systems. Both took place over two weeks starting from 22nd March 2023 (ico.org, 2025A). 

What went wrong?  

According to insideprivacy.com (insideprivacy.com, 2025), ICO’s monetary penalty notice (MPN) regarding the cyberattack found several security failings within Capita’s system. This included two main issues: 

“1. Failure to prevent unauthorised lateral movement and privilege escalation within a network, including failure to remediate deficiencies identified in penetration tests” 

  • This means that Capita lacked adequate security or control over privileged accounts that had more access to sensitive data, which allowed the hacker to hijack them and steal it said data the first place.  
  • The National Cyber Security Centre’s (“NCSC”) recommended the use of a tiered administration system to reduce the potential impact a compromised privileged account, which Capita failed to implement or upgrade following previous tests on the system’s security.  

“2. Failure to respond appropriately to security alerts” 

  • ICO concluded that whilst Capita were alerted to the breach within 10 minutes, they failed to adequately quarantine the infected device until 58 hours later, which allowed the hacker to establish future access to the system and therefore, steal valuable data. 
  • Capita also had an underequipped and underperforming Security Operations Centre (SOC) that failed to properly respond to the threat before it was too late  

Another noteworthy point raised in a seperate ICO report was a service account within Capita’s system known as ‘CAPITA\backupadmin’, which as the name suggests had special administrator privileges that lacked proper restrictions and monitoring (ico.org.uk, 2025B). Multiple penetration tests prior to the data breach confirmed the service account was vulnerable to hijacking, but no action was taken to secure it.     

The Seamless Solution 

  • Seamless’ solution would be to have several safeguards in place should a privileged account is compromised, thus allowing for a quick and decisive quarantine that prevents further encryption.   
  • They would also ensure a well-equipped and trained SOC that can respond to threats 24/7, thus allowing for swift action within minutes to secure the system using appropriate cyber security. 
  • Having an unsecured admin account that can easily and quickly access sensitive files is a weakness begging to be exploited by hackers. Seamless would have integrated a program within ‘CAPITA\backupadmin’ to automatically lock the account down should it detect an unauthorised login. At the same time, limiting the number of people who can use it and introducing multi-factor authentication to access the account could prevent it being hijacked again.  

Conclusion 

Capita represents both a serious lapse in cybersecurity and the damages caused by overconfidence. Capita could have prevented the ransomware or at the least negate the damage done   

Sources 

  • BBC.com (2023B): Capita: Watchdog warns pension funds over data after hack: https://www.bbc.co.uk/news/business-65443841 
  • BBC.com (2025D): Capita hack: 90 organisations report data breaches to watchdog: https://www.bbc.com/news/technology-65746518 
  • Business Matters Magazine, (2026): High Court clears way for thousands to pursue Capita data breach claims: https://web.archive.org/web/20260209150849/https://bmmagazine.co.uk/legal/high-court-capita-data-breach-claims-landmark-ruling/  
  • Ico.org.uk (2025A): Capita fined £14m for data breach affecting over 6m people: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/  
  • Ico.org.uk (2025B): Capita plc and Capita Pension Solutions Ltd Penalty Notice PDF: https://ico.org.uk/action-weve-taken/enforcement/2025/10/capita-plc/ 
  • Insideprivacy.com (2025): ICO Fines Capita £14 Million Over 2023 Data Breach https://www.insideprivacy.com/data-privacy/ico-fines-capita-14-million-over-2023-data-breach/ 
  • theguardian.com (2025B): Cyber-attack to cost outsourcing firm Capita up to £20m: https://www.theguardian.com/business/2023/may/10/cyber-attack-to-cost-outsourcing-firm-capita-up-to-20m 
  • News.sky.com (2025): Government contractor Capita fined £14m after more than six million people had data stolen in cyber attack: https://news.sky.com/story/government-contractor-capita-fined-14m-after-more-than-six-million-people-had-data-stolen-in-cyber-attack-13450431 

See the Recovery Orchestration Engine in action.

Tour the solution story built for investors and acquirers.

No lock-inIntegrates with your existing stackEnterprise ready