In a landmark decision, the Information Commissioner’s Office (ICO) has fined Capita plc and Capita Pension Solutions Limited (CPSL) a combined £14 million for serious data protection failures, a stark reminder that even the biggest players can fall short when it comes to safeguarding personal data.
What happened?
In March 2023, Capita suffered a major cyberattack after threat actors exploited a vulnerability via a malicious JavaScript file. The breach exposed highly sensitive personal and special category data, including health, financial, and biometric information, affecting millions of individuals.
The ICO found that Capita had longstanding security failings, some dating back to the introduction of the UK GDPR in 2018. These included:
- Weak privileged access controls
- Failure to act on known vulnerabilities
- Inadequate penetration testing
- Under-resourced security operations
- Poor internal risk governance
Despite these failings, Capita cooperated fully with the ICO, accepted responsibility, and implemented rapid post-incident improvements - factors that helped reduce the overall fine.
Why this matters to Schools and MATs
While Capita is a large outsourcing giant, the lessons from this case are highly relevant to the education sector, where schools and trusts handle vast amounts of sensitive data, from pupil health records to safeguarding information.
Key takeaways for education providers:
- Don’t delay on known risks: Capita had identified vulnerabilities months before the breach but failed to act. Schools must ensure that risk assessments lead to action, not just paperwork.
- Segment your systems: The lack of Active Directory tiering allowed attackers to move freely across Capita’s network. Even small IT environments benefit from basic segmentation and access controls.
- Resource your security appropriately: The ICO highlighted Capita’s under-resourced Security Operations Centre. For schools, this means ensuring your IT support (internal or external) is equipped to monitor and respond to threats.
- Share lessons internally: Capita’s risk findings were siloed. In education, this could mean safeguarding or data protection issues not being escalated across departments or leadership teams.
- Size matters: The ICO made it clear — larger organisations are held to higher standards. For MATs and local authorities, this means your data protection practices must scale with your size and complexity.
What Capita got right
Despite the failings, Capita’s response offers a model for crisis management:
- Immediate implementation of well established security standards.
- Transparent communication with clients and regulators
- Free credit monitoring for affected individuals
- A strengthened Cyber Transformation Plan
These actions didn’t erase the breach, but they demonstrated accountability, which helped mitigate the consequences.
Final thoughts
This case is a powerful reminder that compliance isn’t just about policies, it’s about practice. For schools and MATs, the Capita fine reinforces the need to:
- Regularly review and test your security controls
- Ensure your DPO has visibility across all data processing activities
- Invest in staff training and awareness
- Data protection and cyber security are organisation-wide responsibilities, but they must be recognised, guided, and championed from the top.
At GDPRiS, we’re here to help you stay ahead of the risks with tools, training, and insights tailored to the education sector. Book a meeting with our team today!