Capita

Capita plc is a UK outsourcing and IT services company founded in 1984, listed on the London Stock Exchange (FTSE 250, ticker: CPI). At its peak it was one of the UK Government's largest private contractors, running services including BBC television licensing administration, NHS data processing, and Royal Navy training. Revenue reached approximately £3.7bn in 2022 before a prolonged restructuring programme began under the private-equity-backed leadership brought in following a series of profit warnings. By 2023, Capita employed approximately 50,000 people globally across more than 30 countries.

In March 2023, Capita suffered a major cyber incident subsequently attributed to the Black Basta ransomware group — then one of the most prolific financially motivated threat actors operating against UK targets. The attackers accessed Capita's internal systems for approximately nine days before the intrusion was contained. Personal data belonging to clients including the Universities Superannuation Scheme (USS), local councils, and NHS trusts was exfiltrated. Capita's initial public disclosure understated the scope of the breach; regulators and clients subsequently identified a wider data footprint than first acknowledged, contributing to reputational and contractual damage.

Capita's ongoing restructuring — centred on shedding non-core contracts, reducing headcount, and renegotiating debt — has left it a significantly smaller business. Private-equity interest and potential further disposals have been reported periodically since 2023, though no transaction had completed as of April 2026.

The Information Commissioner's Office (ICO) issued Capita a £14m fine following its investigation into the 2023 Black Basta breach, citing failures to implement Privileged Access Management (PAM), adequate Active Directory (AD) tiering, and the controls recommended in NCSC baseline guidance — establishing that NCSC standards constitute an enforceable reference point under UK GDPR . The fine is the largest the ICO has levied against a UK outsourcer for a cyber incident and creates a precedent that procurement-chain organisations handling public-sector data face the same GDPR exposure as data controllers. For CISOs at UK Government suppliers, the Capita enforcement notice is the clearest regulatory signal yet that absence of PAM and AD tiering is not merely a hygiene risk — it is a fine-carrying GDPR failure. The decision also signals that regulators will treat NCSC guidance as the applicable security baseline when assessing adequacy of technical and organisational measures under Article 32.