- within Insurance and Corporate/Commercial Law topic(s)
"With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people's data secure," was the UK Information Commissioner's Office (ICO) message on 15 October 2025 as it issued a £14 million penalty to British outsourcing firm Capita for a data breach relating to a ransomware incident in March 2023.
The breach, which affected Capita employees as well as 325 pension schemes of Capita's clients, resulted in hackers stealing the personal information of 6.6 million people. The ICO's decision provides a detailed roadmap of what large, complex enterprises must do, both as controllers and processors of personal data, to meet their security obligations under data protection laws. For multinational general counsel (GC) and Chief Information Security Officers (CISOs), five themes stand out: (i) system controls preventing lateral movement in the IT estate; (ii) privileged access management; (iii) Security Operations Centre (SOC) responsiveness; (iv) risk-based testing and assurance; and (v) governance accountability across group companies and shared infrastructure.
The core failures: privilege, lateral movement, and alert response
The ICO's findings crystallise around two linked security deficits.
- Capita failed to implement appropriate measures to
prevent privilege escalation and lateral movement across its
multi-domain environment. Active Directory tiering and
Privileged Access Management (PAM) were not in place, and a domain
administrator service account was compromised and used to pivot
across eight domains.
The ICO emphasised the benefits of using well-established state-of-the-art guidance and frameworks, including ISO 27001, which require least privilege as default, dedicated administrator accounts, and a tiered administration system, to reduce the potential impact a compromised privileged account may have. In Capita's case, the absence of these controls likely preceded the GDPR coming into force in 2018 and had been identified repeatedly in penetration tests months before the incident, yet was not remediated or disseminated group-wide.
- Capita failed to implement appropriate measures to respond to security alerts. A P2 "High" alert was generated within minutes of the malicious download, but effective isolation of the device took approximately 58 hours – far outside Capita's own one-hour Service Level Agreement (SLA) for P2 alerts and well beyond recognised threat breakout windows. The ICO noted that earlier isolation within four hours would likely have prevented subsequent privilege escalation, persistence, data exfiltration and ransomware deployment. The SOC was under-resourced (often one analyst per shift), failed to meet SLAs for a significant period, and lacked effective escalation (e.g., automatic upgrading of the alert from P2 to P1 status upon identification of Qakbot/Cobalt Strike on Capita's network). Tooling existed to "respond with speed," but was not configured or operationalised to do so.
Why it matters: controller and processor duties in large, federated undertakings
The ICO fined both a controller (Capita plc) under Article 5(1)(f) and 32 of the UK GDPR, and a processor (Capita Pension Solutions Limited) under Article 32 of the UK GDPR, rejecting arguments for a single "undertaking-level" penalty. While the same shared controls were applied across the group, roles, responsibilities and affected data sets differed.
The ICO underscored that processors must independently meet the security obligations of Article 32, especially where a processor handles large volumes of special category data on behalf of numerous controllers.
The ICO also signalled that it will consider wider group governance realities when selecting the entities to penalise, noting the ICO's fining guidance states that "where a parent company owns all, or nearly all, the voting shares in a subsidiary there is a presumption that the parent company exercises decisive influence over the subsidiary's conduct. This presumption may be rebutted. However, the burden is on the parent company to provide sufficient evidence to demonstrate that the subsidiary acts independently."
"Appropriate" measures: state of the art, cost, and risk in practice
In relation to security measures taken, the ICO carefully applies Article 32's "appropriate to the risk" test:
- State of the art is clear and longstanding. The ICO pointed to National Cyber Security Centre guidance on preventing lateral movement and secure system administration, Microsoft's active directory security guidance, CIS Controls (IG3), NIST CSF, and ISO 27001 controls on vulnerability management and asset inventory. For an IG3-scale enterprise with in-house cyber capabilities and SOC-as-a-service offerings, failure to deploy active directory tiering/privileged access management and to tune detection/response to known tools and attacker tradecraft fell below that standard.
- Cost and complexity do not excuse delay. The ICO accepted that implementing active directory tiering and privileged access management across multi-domain estates is complex and resource-intensive. But for a large, well-resourced group that processes sensitive personal data at scale, these must be seen as foundational controls. The post-incident deployment of products that facilitated administrative account tiering and the rapid staffing increases to the SOC demonstrated that this could be done when needed; the issue was prioritisation and timeliness.
- Nature, scope, context, and purpose of processing will raise the risk. Processing included extensive special category data across pensions administration and HR. The volume and sensitivity heightened the risk to data subjects and demanded robust measures, regular testing, and effective group-wide dissemination of remediation from local penetration findings.
Testing and assurance: risk-based scope and enterprise dissemination
A notable governance lesson is the ICO's criticism of a fragmented approach to penetration testing and risk management. Findings that "domain admins can log on to member servers" and that credential dumping risks were repeated across tests from August 2022 through February 2023, yet remediation was not undertaken across all business units, was taken to be Capita's acceptance of the risk.
The ICO appears to suggest that organisations, especially federated groups, should empower the CISO with overall management and oversight of security programmes. Such programmes should be integrated across the group, along with the dissemination of remediation guidance across the entire IT estate. To be clear, limiting penetration testing to externally facing or internet-exposed systems while housing vast troves of special category data internally will not satisfy Article 32(2)'s risk-based standard.
SOC performance: SLAs, automation, and escalation pathways
The ICO benchmarked Capita's SOC SLAs against the UK Government's Digital Marketplace for Cloud Services and found its targets broadly reasonable. The issue was consistent underperformance; inadequate staffing and manual processes; and failures to escalate based on threat indicators.
The lesson is not simply to set aggressive SLAs, but to ensure that the company's operating model, resourcing, runbooks and automation can meet them. The ICO's view that P2 should have auto-escalated to P1 on detection of QakBot/Cobalt Strike, and that Capita's Endpoint Detection and Response system should have enforced immediate containment at scale, evidences an expectation of mature, tuned and automated SOC workflows in large enterprises which would align with the security obligations under Article 32 of the UK GDPR.
Enforcement posture: penalties, proportionality, and admissions
Initially calculated at over £58 million across the two entities, the fines were reduced for proportionality, linked processing, financial position and admissions of liability, and then further reduced to £14 million through settlement. The absence of widespread proven harm did not negate the seriousness of the breach. Importantly, the ICO reiterated that being a victim of a sophisticated attack is not a defence where foundational controls, timely response and risk-based assurance were lacking.
What multinational GCs and CISOs should prioritise now
This decision is a detailed blueprint for what the ICO considers "appropriate" security at scale and raises the operational baseline. In light of this, GCs and CISOs must engage at the board level to align governance and accountability in information security.
Data security should focus on four areas:
- Implement and regularly test AD tiering, PAM, and least privilege, with service account governance.
- Harden SOC efficacy, including staffing, alert tuning, runbook automation and escalation logic tied to known high-risk TTPs.
- Integrate testing and risk management so that critical findings propagate across entire IT estates, with volume and sensitivity of processing informing scope.
- Ensure that controllers and processors alike can evidence appropriate security measure in compliance with Article 32 of the UK GDPR, reflecting distinct roles even where controls are shared.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.