
Capita
FTSE 250 UK outsourcer; fined £14m by ICO in 2026 for GDPR failures exposed by the Black Basta ransomware breach.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Does the £963,900 South Staffs fine mean the Capita playbook now governs the whole of UK CNI?
Timeline for Capita
Mentioned in: Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesICO fines South Staffs Water £963,900
Cybersecurity: Threats and DefencesMentioned in: RansomHouse posts Trellix internal screenshots as extortion leverage
Cybersecurity: Threats and DefencesMentioned in: ENISA scores NIS2 maturity with NCAF 2.0
Cybersecurity: Threats and DefencesMentioned in: Beijing's Liu ruling laid the doctrine
AI: Jobs, Power & MoneyWhy was Capita fined £14m by the ICO?
Who attacked Capita in 2023?
Does the Capita ICO fine mean NCSC guidance is legally required?
Background
Capita plc is a UK outsourcing and IT services company founded in 1984, listed on the London Stock Exchange (FTSE 250, ticker: CPI). At its peak it was one of the UK Government's largest private contractors, running services including BBC television licensing administration, NHS data processing, and Royal Navy training. Revenue reached approximately £3.7bn in 2022 before a prolonged restructuring programme began under the private-equity-backed leadership brought in following a series of profit warnings. By 2023, Capita employed approximately 50,000 people globally across more than 30 countries.
In March 2023, Capita suffered a major cyber incident subsequently attributed to the Black Basta ransomware group, then one of the most prolific financially motivated threat actors operating against UK targets. The attackers accessed Capita's internal systems for approximately nine days before the intrusion was contained. Personal data belonging to clients including the Universities Superannuation Scheme (USS), local councils, and NHS trusts was exfiltrated. Capita's initial public disclosure understated the scope of the breach; regulators and clients subsequently identified a wider data footprint than first acknowledged, contributing to reputational and contractual damage.
Capita's ongoing restructuring (centred on shedding non-core contracts, reducing headcount, and renegotiating debt) has Left it a significantly smaller business. Private-equity interest and potential further disposals have been reported periodically since 2023, though no transaction had completed as of May 2026.
The Information Commissioner's Office (ICO) issued Capita a £14m fine following its investigation into the 2023 Black Basta breach, citing failures to implement Privileged Access Management (PAM), adequate Active Directory (AD) tiering, and the controls recommended in NCSC baseline guidance, establishing that NCSC standards constitute an enforceable reference point under UK GDPR. The fine is the largest the ICO has levied against a UK outsourcer for a cyber incident and creates a precedent that procurement-chain organisations handling public-sector data face the same GDPR exposure as data controllers.
The Capita enforcement template has now extended to critical national infrastructure beyond financial-services outsourcing. On 12 May 2026, the ICO fined South Staffordshire Water £963,900 for a 2022 ransomware intrusion that ran undetected for 20 months, citing the same absent PAM, inadequate detection coverage, and NCSC-baseline failures. The South Staffs finding confirms that the NCSC-as-GDPR-baseline model established by Capita now applies to water-sector critical national infrastructure, before the Cyber Security and Resilience Bill has completed its parliamentary passage. For CISOs at any UK organisation handling personal data for public-sector clients, the Capita and South Staffordshire enforcement pair is the clearest regulatory signal yet that absent PAM, inadequate detection estate, and failure to follow NCSC guidance are fine-carrying GDPR failures under Article 32.