Wikipedia

2023 Capita data breach

The 2023 cyberattack on Capita was a ransomware and data exfiltration incident affecting the British business process outsourcing and professional services provider and millions of people whose data it processed. In late March 2023 hackers gained access to Capita's systems, stole large volumes of client and staff information and then deployed ransomware, disrupting internal IT services and causing prolonged outages across parts of the business.[1][2][3]

Major clients, including the Universities Superannuation Scheme, later confirmed that personal data about hundreds of thousands of pension scheme members may have been compromised.[4][5] By the end of May 2023, at least 90 organisations had notified the Information Commissioner's Office (ICO) of personal data breaches linked to the incident,[6] and Capita estimated that the attack would cost up to £25 million in recovery and remediation expenses.[7]

An investigation by the ICO concluded that personal data relating to around 6.6 million individuals, including special category data such as health and criminal record information, had been exfiltrated, prompting hundreds of complaints and a High Court multi-party claim on behalf of more than 5,000 people.[8][9] In October 2025 the ICO fined Capita plc and Capita Pension Solutions Limited a combined £14 million for failures to implement appropriate security measures under the UK GDPR.[8][10]

Background and security risks

[edit]

The Capita Group is a business process outsourcing and professional services group. At the time of the incident, it employed tens of thousands of staff and acted as both data controller and data processor for hundreds of organisations that relied on its central IT infrastructure and security policies.[8]

Capita plc was responsible for group-wide data protection and information security policies and for operating the core systems on which many subsidiaries stored personal data, including pensions and other client records. The ICO found there was no evidence of internal audits of the security of the affected business units, despite group policies requiring such controls.[8]

A privileged service account used by Capita, 'CAPITA\backupadmin', had domain administrator rights and lacked restrictions and monitoring that would normally apply under a least-privilege model. Three penetration tests carried out between August 2022 and early 2023 had already identified this configuration as a vulnerability, but no corrective action was taken before the breach.[8]

Timeline

[edit]
22 March 2023
07:52 - An attacker gains access to an employee phone using a malicious JavaScript script (jdmb.js) and then downloads the malware Qakbot and Cobalt Strike.
08:00 - an automatic alert was sent to Capita's security operations centre.
12:21 - Threat actor logs in with administrator access.[8]
23 March 2023
13:06 - Capita's security platform identified that QakBot was recovering/decrypting credentials from the compromised device.[8]
24 March 2023
18:07 - Capita's security operations centre processes the automatic alert and quarantined the compromised device.[8]
24–28 March 2023
The attacker, who now had access to an administrator account as a result of the compromised device, used tools like Cobalt Strike and BloodHound to move around the system.[8]
28 March 2023
Capita noticed suspicious activity on three devices and took all offline for containment.[8]
29 March 2023
09:22 - Capita invokes its internal "Major Incident Management" process.
17:26 - the attacker begins downloading files using a malware tool called SystemBC. Initially 827.25 MB of data was downloaded; this eventually reached 1.76 GB on this channel.[8]
30 March 2023
The attacker used Rclone to download around 973 GB of data from multiple Capita systems.[8]
31 March 2023
The attacker deploys ransomware to over 1,000 hosts[10] and resets the passwords of all 59,359 accounts on the system. At 18:30 Capita reported the incident to the ICO.[8]

3rd April 2023

Capita releases a statement saying “On Friday 31st March, Capita plc experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications,”[11]

Impact

[edit]

The breach had significant operational, financial, and reputational consequences for Capita and its clients. [12] Systems across multiple business units were disrupted for several weeks, and 59,000 accounts had password resets. Personal data relating to approximately 6.66 million individuals had been exfiltrated, including special category data such as health and criminal record information.[8]

Investigation and regulatory action

[edit]

The incident led to widespread concern, with 93 formal complaints to the ICO, 678 complaints received directly by Capita,[8] and a High Court multi-party claim involving over 5,000 individuals.[13]

In October 2025, Capita plc and Capita Pension Solutions Limited were fined a combined £14 million for infringements of Articles 5(1)(f) and 32 of the UK GDPR.[8]

John Edwards, the UK Information Commissioner, was quoted as saying:

"Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place."[10]

Adolfo Hernandez, CEO at Capita, responded to the fine:

"[...] Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today's settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people, and wider society."[10]

References

[edit]
  1. ^ Prescott, Katie (21 April 2023). "Capita admits data breach after attack by Russian hackers". The Times.
  2. ^ Makortoff, Kalyeena (2023-04-03). "Capita blames cyber-attack for outage as company races to restore IT systems". The Guardian. ISSN 0261-3077. Retrieved 2025-11-13.
  3. ^ Makortoff, Kalyeena (20 April 2023). "Capita admits customer data may have been breached during cyber-attack". The Guardian.
  4. ^ Cumbo, Josephine (12 May 2023). "Leading pensions client warns data for 470,000 members at risk from Capita hack". Financial Times. Retrieved 13 May 2023.
  5. ^ Davies, Rob (12 May 2023). "Capita cyber-attack: USS pension fund members' details may have been stolen". The Guardian. Retrieved 14 May 2023.
  6. ^ "Capita hack: 90 organisations report data breaches to watchdog". BBC News. 29 May 2023. Retrieved 29 May 2023.
  7. ^ Partridge, Joanna (2023-08-04). "Cyber-attack to cost outsourcing firm Capita up to £25m". The Guardian. ISSN 0261-3077. Retrieved 2025-11-13.
  8. ^ a b c d e f g h i j k l m n o p Monetary Penalty Notice: Capita plc; Capita Pension Solutions Limited (Penalty notice). Information Commissioner’s Office. 15 October 2025.
  9. ^ "Thousands of pension holders to sue Capita over 'Russia-linked' hack". Barings Law. Retrieved 2025-11-15.
  10. ^ a b c d Jones, Connor (15 October 2025). "Capita fined £14M after 58-hour delay exposed 6.6M records". The Register. Situation Publishing. Retrieved 15 November 2025.
  11. ^ Makortoff, Kalyeena (2023-04-03). "Capita blames cyber-attack for outage as company races to restore IT systems". The Guardian. ISSN 0261-3077. Retrieved 2025-11-13.
  12. ^ Partridge, Joanna (2023-08-04). "Cyber-attack to cost outsourcing firm Capita up to £25m". The Guardian. ISSN 0261-3077. Retrieved 2025-11-13.
  13. ^ "Thousands of pension holders to sue Capita over 'Russia-linked' hack". Barings Law. Retrieved 2025-11-15.