Environment Agency pensions administrator fined £14m
Published: November 5, 2025
Capita, the pensions administrator for – among others – the Environment Agency Pension Fund has been issued with a £14m fine by the Information Commissioner’s Office (ICO).
The fine, announced on 15 October, came in relation to a 2023 data breach that saw hackers steal millions of people’s information.
Capita plc has been fined £8m, while Capita Pension Solutions has been fined £6m – with Capita acknowledging the watchdog’s decision, admitting liability and agreeing to pay the fine in full.
The watchdog initially proposed a £45m fine, but this was reduced to £14m following Capita’s representations and mitigating factors on the provisional decision – including the improvements it made after the attack, the support it offered to affected individuals and its engagement with other regulators and the National Cyber Security Centre.
Capita acknowledged the decision and admitted liability as part of the voluntary settlement.
UK Information Commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place.
“When a company of Capita’s size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered – but for wider trust amongst the public and for our future prosperity.
“As our fine shows, no organisation is too big to ignore its responsibilities.
“Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people’s data secure.
“Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.”
The attack began when a malicious file was downloaded unintentionally onto an employee’s device back in March 2023. Despite a high-priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours.
During that time, the attacker exploited its system, using malicious software to gain access to Capita’s network and remain in the system, gaining administrator permissions and accessing other areas of the network.
Responding to the decision, Capita said it’s “committed to upholding the security of its data and protection of our systems for our clients and their customers”, adding that “we regret the incident and reaffirm that, following a detailed forensic investigation, all those identified as potentially impacted were contacted after the attack.”
Speaking on the day the settlement was announced, its chief executive Adolfo Hernandez said: “As an organisation delivering essential public services as well as key services for private sector clients, Capita was among the first in the recent wave of highly significant cyber-attacks on large UK companies.
“When I joined as CEO the year after the attack I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cybersecurity posture, built in advanced protections and embedded a culture of continuous vigilance.
“Following an extended period of dialogue with the ICO over the last two years, we are pleased to have concluded this matter and reach today’s settlement. The Capita team continues to focus tirelessly on our Group transformation journey for the benefit of our customers, our people and wider society.”
Cybercrime is estimated to cost the UK economy between £27bn and £30.5bn a year.
