Capita cyber breach sends a clear message to pension Trustees

Ishaan Prasad, Associate director, Forensic Services

The Information Commissioner’s Office has fined Capita a total of £14 million due to security issues that led to a cyber attack in 2023, and the theft of data affecting around 6.6 million people. The fine is divided, with £8 million levied against Capita plc and £6 million against Capita Pension Solutions Limited.

The ICO explained that Capita did not take sufficient steps to keep data secure and lacked proper technical and organisational measures to handle incidents effectively. Additionally, it was confirmed that there are more than 600 organisations supported by Capita Pension Solutions, with 325 of them being directly impacted.

This decision goes beyond just a financial penalty, it clearly sets out what regulators expect from pension scheme Trustees and sponsors. It emphasises the importance of following The Pensions Regulator’s (TPR) guidelines on cyber controls and reinforces lessons learned from the Capita incident, highlighting TPR’s ongoing focus on these areas.

What happened, in brief

According to the ICO, the March 2023 attack resulted in the theft of personal information from pension and staff records, including special category data for some individuals. Capita accepted liability and agreed to a voluntary settlement of £14 million after the ICO’s provisional plan to fine a total of £45 million, with the reduction reflecting improvements made and support given to those affected.

Reports indicate that there were weaknesses in how the operation responded, which increased the risks. For example, there was approximately a 58-hour delay between detecting a high-priority alert and quarantining the affected device. There were also issues with resource allocation and alert management within security teams. This demonstrates potential failure points in the response and Trustees should evaluate their service providers for these issues.

Why this matters for pension schemes

Capita Pension Solutions processes data for hundreds of schemes, and 325 of those client organisations were affected. This highlights the sector’s reliance on shared administrators and the systemic consequences of a major administrator's compromise.

TPR’s general code, in force since March 2024, requires an effective system of governance that includes measures to manage cyber risk. TPR’s cyber controls module sets clear expectations for understanding, reducing and responding to cyber risk, including for arrangements delivered by advisers and service providers. TPR’s updated guidance also asks Trustees and providers to report significant cyber incidents to TPR voluntarily, as soon as reasonably practicable.

TPR’s regulatory intervention report on the Capita incident explains how it engaged with Trustees to protect payments and member data. It sets out the steps Trustees should take when their administrator is affected. Those lessons remain highly relevant across the sector.

Five takeaways from the ICO penalty that every Trustee board should apply

1. Security of processing is a board-level accountability, even when outsourced.

The ICO’s finding that Capita lacked appropriate measures to secure processing and to respond effectively is a reminder that controllers must assure themselves that their processors’ controls are adequate. Trustees remain accountable for scheme data and must evidence oversight of administrators, hosting providers and other suppliers.

2. The speed at which we detect and contain issues really makes all the difference.

Reports of significant delays between alert and quarantine highlight how swiftly a foothold can escalate into a network-wide compromise and extensive data exfiltration. Trustees should ensure administrators can demonstrate effective alert handling, sufficient out-of-hours resourcing, and automation capable of quarantining endpoints promptly.

3. Privilege management and lateral movement controls should be demonstrably proven, rather than simply assumed.

Media analyses of the Capita case highlighted weaknesses that enabled privilege escalation and lateral movement across systems, underscoring the importance of robust identity controls, including tiered administration, conditional access and effective segregation. Trustees should ask for independent testing evidence, not only policy statements.

4. Contractual rights need to match regulatory expectations.

TPR expects governing bodies to ensure service providers meet cyber control expectations in practice. Contracts should provide for access, audit, and information rights, as well as timely incident notification, scenario testing participation, and clear cooperation duties that align with reporting obligations to the ICO, TPR, and possibly the National Cyber Security Centre (NCSC).

5. Sector regulators expect proactive, open engagement.

The ICO reduced its provisional penalty after considering Capita’s improvements and engagement with regulators and the NCSC. TPR’s intervention report shows how multi-regulator coordination works in a live event. Trustees should have a playbook that outlines who engages with which regulator and when.

What good looks like for pension Trustees and sponsors

Map critical services and data flows

Maintain a current map of essential services for member payments and administration, along with the supporting data. Include hosted platforms, batch file exchanges and data sharing with investment managers, payroll and tracing services. TPR’s general code expects this level of understanding.

Mandate minimum security and response standards for administrators

Ask administrators to evidence, at least annually, their posture against common failure points that featured in the Capita incident, including alert triage and escalation times, containment automation, identity and privilege tiering, network segmentation, and tested backup and restoration for administrative platforms.

Exercise the incident playbook together

Run joint exercises with your administrator and key suppliers. Include simulated data exfiltration, negotiation pressure from threat actors, and decisions on member communications, credit monitoring and fraud prevention. TPR’s guidance emphasises the importance of planning for and managing incidents, rather than just trying to prevent them.

Set reporting and escalation triggers

Align contractual obligations with TPR’s guidance on voluntary reporting of significant cyber incidents and with statutory reporting to the ICO. Include time thresholds for first notification, member risk assessment and regulator updates.

Strengthen supplier oversight and assurance

Use independent assessments to verify administrator controls. When appropriate, request third-party assurance reports that include alert handling metrics, data loss prevention, and measures against common ransomware tactics. TPR expects Trustees to confirm that those managing data on their behalf have proper controls.

The regulatory direction of travel

The ICO’s decision confirms that no organisation is too large to be held to account for security failings and slow response, and that improvements and constructive engagement can influence penalty outcomes.

For pension schemes, TPR’s general code and cyber controls create a clear governance baseline. Trustees are accountable for ensuring that those who handle scheme data have effective controls, that incidents are managed and reported and that member services continue. TPR’s intervention report on Capita shows how the regulator expects Trustees to act when their administrator is compromised.

How Crowe can help

Crowe’s cyber specialists support pension Trustees and sponsors with cyber risk governance, supplier oversight and incident readiness. Services include independent reviews against TPR expectations, contract and control gap analysis for administrators, scenario exercises and post-incident support.

If you would like a short workshop for your board to prioritise the actions above, or a focused review of your administrator oversight against TPR’s general code, we can arrange this at short notice.