Capita Fined £14M After Black Basta Ransomware Exposes 6.6M Records

• .What: Black Basta ransomware gang infiltrated Capita and exfiltrated 974GB of data.
• .Who: 6.6 million individuals across 90+ organizations including NHS and pension funds.
• .Data Exposed: Pension records, NHS data, government personnel files, and bank details.
• .Outcome: UK ICO fined Capita GBP 14M, reduced from an initial GBP 45M proposal.

In March 2023, the Black Basta ransomware group breached Capita plc - the UK's largest outsourcing company by government contract value, processing payroll, pensions, and sensitive data for more than 90 public and private sector organizations.

The attackers gained initial access through a phishing email that delivered a QakBot loader, establishing persistence on an employee workstation.

From there, Black Basta operators moved laterally across Capita's network over approximately nine days, escalating privileges and staging data for exfiltration before deploying ransomware.

The exfiltration totaled 974.84 GB encompassing 6.6 million individual records.

Affected client organizations included the Universities Superannuation Scheme - the UK's largest private pension fund managing GBP 82 billion for 500,000 members - as well as NHS trusts, local councils, and Ministry of Defence contractors.

Capita initially described the incident as a "technical issue" before acknowledging the ransomware attack days later. The company estimated total incident costs at GBP 25 million in its subsequent financial filings.

The UK ICO investigated for over two years before issuing a GBP 14 million fine in 2025, reduced from an initial GBP 45 million proposal.

The ICO's enforcement notice cited systemic failures in Capita's security architecture including inadequate network segmentation, insufficient monitoring, and the absence of multi-factor authentication on critical systems.

The fine specifically addressed violations of UK GDPR Articles 5(1)(f) and 32 - the obligation to ensure appropriate security of processing.

A GBP 14 million fine against a company that processes pension data for 500,000 university staff, patient records for NHS trusts, and personnel files for Ministry of Defence contractors is not a deterrent. It is a rounding error.

Capita reported GBP 3.3 billion in revenue in the year the breach occurred.

The fine represents 0.4% of annual turnover - less than half of the 4% maximum the ICO could have imposed under UK GDPR. The ICO's own enforcement notice documented systemic failures so fundamental that the initial GBP 45 million proposal was arguably more appropriate.

The reduction to GBP 14 million tells every UK outsourcer that inadequate security is a cost of business, not a business risk.

The attack chain that Black Basta exploited is not novel.

It is the same chain that has worked against hundreds of organizations since 2022: phishing email delivers a loader, the loader establishes a foothold, the attacker moves laterally through a flat network, and data is exfiltrated in bulk before ransomware deployment.

The first control that would have disrupted this chain is phishing-resistant multi-factor authentication - specifically FIDO2 hardware security keys - on all employee accounts. QakBot's delivery mechanism relied on the victim clicking a link and providing credentials.

FIDO2 authentication is cryptographically bound to the legitimate domain and cannot be phished, replayed, or harvested by commodity malware. The ICO's enforcement notice confirmed MFA was absent on critical systems.

For an organization handling data for 6.6 million individuals, this is negligence.

The second control is network segmentation that prevents lateral movement from a single compromised workstation to systems containing pension records, NHS data, and government personnel files. Black Basta operated inside Capita's network for approximately nine days.

During that time, the attackers traversed from the initial phishing foothold to databases containing the most sensitive categories of personal data across 90+ client organizations.

A properly segmented network would have confined the attacker to the initial business unit, requiring additional exploitation at each boundary - creating detection opportunities and limiting the blast radius.

The third control is data loss prevention and exfiltration monitoring. The attackers moved 974.84 GB out of Capita's environment.

Nearly a terabyte of data leaving the network should have triggered automated alerts at multiple points - egress firewall rules, proxy logs, SIEM correlation rules, and endpoint detection telemetry.

The absence of any detection during a multi-day exfiltration operation indicates that either DLP was not deployed, not configured for the relevant data paths, or not monitored.

The fourth control is contractual and architectural separation of client data. Capita processed data for 90+ organizations in what the ICO's findings suggest was a shared infrastructure environment without adequate logical separation between client datasets.

Each client organization trusted Capita to protect their data independently. When one breach exposed all 90 clients simultaneously, that trust model failed.

Organizations outsourcing sensitive data processing must require - contractually and technically - that their data resides in isolated environments where a single compromise cannot cascade across the entire client base.

UK ICO Enforcement Notice, Capita PLC Regulatory Filings, USS Pension Scheme Notifications