In 2023, we informed you that Capita (our pensions administrator) had experienced a cyber-attack. On 15 October 2025, the ICO published the results of its investigation into Capita and the cyber-attack.
The ICO found that "Capita had failed to ensure the security of processing of personal data which left it at significant risk, as well as lacking the appropriate technical and organisational measures to effectively respond to the attack".
The ICO issued a £14 million fine to Capita plc and Capita Pension Solutions Limited. The fine is part of a voluntary settlement which the ICO and Capita have agreed. Capita has acknowledged the ICO's decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing. Further information can be found on the ICO's website.
We have updated our Q&A in light of the ICO's decision. We keep the most up to date information in our Cyber Q&A on our Cyber hub at www.eapf.org.uk/cyber.
No evidence of misuse of exfiltrated data
We can confirm that it remains the case that there is no evidence that information resulting from this incident has been misused, or that it is available illegally including on any third-party websites. Capita continues to routinely monitor the dark web for any trace of exfiltrated data via independent third-party experts.
Visit our Cyber hub