2023 Capita data breach

The 2023 Capita data breach was a ransomware and data exfiltration incident affecting Capita, the British business process outsourcing and professional services provider, and millions of people whose data it processed. In late March 2023 hackers gained access to Capita's systems, stole large volumes of client and staff information and then deployed ransomware, disrupting internal IT services and causing prolonged outages across parts of the business.

Major clients, including the Universities Superannuation Scheme, later confirmed that personal data about hundreds of thousands of pension scheme members may have been compromised. By the end of May 2023, at least 90 organisations had notified the Information Commissioner's Office (ICO) of personal data breaches linked to the incident, and Capita estimated that the attack would cost up to £25 million in recovery and remediation expenses.

An investigation by the ICO concluded that personal data relating to around 6.6 million individuals, including special category data such as health and criminal record information, had been exfiltrated, prompting hundreds of complaints and a High Court multi-party claim on behalf of more than 8,000 people. In October 2025 the ICO fined Capita plc and Capita Pension Solutions Limited a combined £14 million for failures to implement appropriate security measures under the UK GDPR.