In October 2025, outsourcing giant Capita received the largest fine in the Information Commissioner’s Office (ICO) history — £14 million — following a ransomware attack in 2023 that exposed the personal data of 6.6 million people.
It’s easy to read a headline like that and assume it has nothing to do with your business. My own business, or any other business I’ve ever worked for, has had little in common with Capita at first glance; Capita is a £3 billion company – it’s huge. It has its fingers in many pies, including government contracts and major deliveries. Ever the scale of the breach issued by The ICO, the scale of the fine — it all feels like a different world, and that there isn’t much we can learn from it, but hold on and bear with me…
The ICO’s findings are worth reading carefully, because the failures they identified aren’t enterprise-scale failures only. They’re the kind of failures that happen in organisations of every size, and I suspect do, but go unreported.
How it happened
On 22 March 2023, a Capita employee visited a compromised website and unknowingly downloaded a malicious file. There was no phishing email, no elaborate social engineering. Just an ordinary browsing session that went wrong (truth be told, I did a similar thing in my younger years).
Within four and a half hours, the attackers had used that foothold to access a privileged service account and begin escalating their access across Capita’s network. Within two days, they had exfiltrated nearly a terabyte of data. On 31 March (nine days after the initial compromise!), ransomware was deployed across the network, and all user passwords were reset, locking Capita’s own staff out of their systems.
The attack was carried out by an organisation called Black Basta, a well-known ransomware group that had been targeting organisations across multiple sectors since 2022. This wasn’t an opportunistic attack. Black Basta operated as a professional criminal enterprise, and Capita — handling data for the NHS, the Ministry of Defence, the Royal Navy, and hundreds of pension schemes — was exactly the kind of target they looked for.
The part that should concern every organisation
Here’s what makes this case particularly sobering for us, smaller businesses.
Capita’s own security tools detected the malicious file within 10 minutes of its download. A high-priority alert fired immediately. It used plain language: “Threat Alert — High,” “Credential Access,” “Privilege Escalation.“
Nobody responded for 58 hours.
By the time the device was quarantined, the attackers had already moved laterally across at least eight domains, had domain administrator access, and had everything they needed to carry out the attack.
That wasn’t a failure of technology. The technology worked. It’s a failure of process — specifically, the kind of process that an ISMS is designed to establish and maintain.
And like the best horror stories, it gets worse… The vulnerabilities the attackers exploited — overprivileged service accounts, no tiered administration model, no least privilege controls — had been flagged in Capita’s own penetration tests on three separate occasions before the breach. They were known issues that weren’t fixed.
The ICO specifically referenced ISO 27001 in its findings, noting that these are standard controls required by the framework. The fine wasn’t just about the breach. It was about the gap between having a security programme on paper and actually running one.
I, for one, get a cold shudder thinking about the people for whom this happened on their watch. I imagine the finger-pointing was quite something.
The broader picture
The Capita fine didn’t happen in isolation. ICO enforcement has been accelerating.
In 2025, the ICO issued fines totalling around £19.6 million from just seven cases — a sevenfold increase on the previous year. The Data (Use and Access) Act 2025, which came into force in February 2026, has also extended the ICO’s enforcement powers and raised the cap on fines for certain violations to UK GDPR levels.
The direction of travel is clear. The ICO is enforcing more frequently, more seriously, and with greater reference to recognised security frameworks when assessing whether organisations have done enough.
Even if the ICO doesn’t come knocking on your door for a breach, your customers likely will and expect compensation.
It’s also worth noting that paying the ransom — if Capita did, and the circumstantial evidence suggests they may have — doesn’t reduce a regulatory fine. The ICO’s assessment is based on whether you had adequate controls in place, not on what happened afterwards.
What this means if you’re a smaller business
The lesson here isn’t that you need Capita’s security budget.
The lesson is in the response to a simple question.
When something goes wrong, do you have a framework in place, and are you actually using it?
ISO 27001 exists precisely to answer that question. It isn’t a guarantee that nothing will ever go wrong — no framework is, no matter what people claim. But it does demonstrate that you’ve assessed your risks, put controls in place, and have a process for reviewing them. That matters to the ICO, your stakeholders, customers, and boss, and to potential clients and partners who ask about your security posture.
The controls that Capita failed to implement aren’t complex or expensive. Least privilege access, proper account management, separation of duties — these are achievable by organisations of almost any size. The problem at Capita wasn’t a lack of resources. Known issues were flagged. They just weren’t fixed.
Someone was responsible for that, but someone else was accountable.
One practical thing to do today
So, ask yourself a few things;
If your organisation has had a penetration test, a risk assessment, or any kind of security review in the past 12 months, pull out the findings.
Are there items on that list that were flagged and haven’t been addressed? If so, that’s your starting point — not because a fine is imminent, but because that’s exactly the pattern the ICO identified at Capita. Known vulnerabilities, unresolved, for months.
If you haven’t had any kind of security review, that’s worth addressing. A basic gap analysis is a reasonable place to start and doesn’t have to be expensive or disruptive.
A note on ISO 27001
If you’re considering ISO 27001 certification, or you’re partway through an implementation, the Capita case reinforces something I tell every client: the value of the standard isn’t the certificate. It’s the process of working through it — identifying your risks, deciding which controls apply to you, and building a system you actually maintain.
The certificate is the proof. The ISMS is what actually protects you.
If you’d like to understand what getting certified would involve for your business, you’re welcome to book a free discovery call. No obligation — just a straightforward conversation.
ISO 27001 Consultancy
Get ISO 27001 certified in 90 days.
I’ll coach you through every step.
Fully remote. Fixed fee. Working with SMEs across the UK, EU and USA.
✔ Audit-ready plan with structured checkpoints
✔ Full toolkit + templates included
✔ Expert support throughout
Cancel any time
Pro-rata refund on unused sessions
✔ Defined scope, SoA and risk treatment
✔ Plain-English — no jargon
✔ Trusted auditor recommendations
First-pass guarantee
If you don’t pass, I fix it for free
“..no-nonsense help in achieving our UKAS-accredited ISO 27001 certification…”
– Periculum Security Group (UK)
