United Kingdom
CAPITA PLC
9,180,000 €
GDPR enforcement action by Information Commissioner (ICO) on 2025-10-15.
Rank · Sector
#8
of 597 in Industry and Commerce
Rank · United Kingdom
#5
of 28
Rank · All fines
#49
of 3,050
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2025-10-15
- Controller / Processor
- CAPITA PLC
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 5 (1) f) UK GDPR, Art. 32 (1), (2) UK GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA has imposed a fine of £ 8,000,000 (EUR 9,180,000) on CAPITA PLC. CAPITA PLC acts as the data controller for the CAPITA Group, which has suffered a cyber attack. The controller failed to implement adeqaute technical and organisational measures to ensure data security and also failed to adequatly react to the incident.
Open original source
Links to the regulator's original publication or another source.
Related fines
United Kingdom
2020-10-16
22,046,000 €
ETid-58
British Airways
Transportation and Energy
United Kingdom
2020-10-30
20,450,000 €
ETid-60
Marriott International, Inc
Accomodation and Hospitality
United Kingdom
2026-02-23
16,610,000 €
ETid-3074
Reddit, Inc.
Media, Telecoms and Broadcasting
United Kingdom
2023-04-04
14,500,000 €
ETid-1730
TikTok
Media, Telecoms and Broadcasting
United Kingdom
2022-05-18
9,000,000 €
ETid-1190
Clearview Al Inc.
Industry and Commerce
United Kingdom
2025-10-15
6,880,000 €
ETid-2899
CAPITA PENSION SOLUTIONS LIMITED
Industry and Commerce