Capita data breach claim
In March 2023, Capita was the victim of a serious cyber-attack in which the personal data of 6.6 million people was stolen, including, in some cases, people’s financial, medical and other very sensitive information. In October 2025, Capita was fined £14 million for failing to keep this personal data safe. Those affected are likely to have claims for compensation for any distress and / or financial losses suffered.
Capita data breach claim
The Capita Group assists a large number of organisations run their operations including over 600 organisations providing pension schemes. In late March 2023, the personal information of 6.6 million people was stolen from Capita by hackers, including the pension records, staff records and customer records of organisations being supported by Capita.
In October 2025, the Information Commissioner’s Office (ICO) found that, in breach of a legal requirement to do so, Capita had failed to take a range of measures to safeguard the personal data that they held and fined them £14 million.
While it varied from individual to individual, the categories of personal data taken included names, addresses, email addresses, phone numbers, dates of birth, NI numbers, driving licences, passport numbers, photo ID scans, bank account details, credit or debit card information, biometric information, employee information and signatures.
In some cases, it also included so-called ‘special category information’ comprising health / medical information and/or information on racial / ethnic origin, political beliefs, religious / philosophical beliefs, trade union membership, sexual orientation and/or criminal records checks.
On the information currently available, those affected by the data breach are likely to have strong claims for substantial compensation against Capita, and/or others, for failing to keep their personal information secure and the anxiety, fear and distress, and any financial losses caused by this.
Join the Capita data breach claim
How do I join the claim?
If you were notified that you were personally affected by the data breach suffered by Capita in March 2023 and wish to instruct us to start investigating and, if appropriate, to bring a claim on your behalf, please click on the button below to “Join the Claim” and complete our sign-up form to become a client by entering into a legally binding agreement for us to act for you.
I am ready to sign up
If I win my claim against Capita, how will I be compensated?
If your claim is successful, you will receive compensation for any distress or financial losses that you have suffered as a result of the data breach.
The value of your claim for compensation is likely to depend on a number of factors, including some specific to your individual situation.
Read our reviews
Why choose Leigh Day?
Experienced
Our human rights team has more than 20 years' experience in data protection and privacy claims. This includes challenging multi-national companies as well as local authorities and the NHS.
Informed
We keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.
Top ranked firm
The human rights team has been recognised as a leader in its field for many years. In 2022, we were top ranked in eight practice areas in Chambers and Partners.
How does it work?
We are acting for those affected by the data breach suffered by Capita in March 2023 to investigate and, if appropriate, then bring claims for compensation for any distress or financial losses suffered. It is likely that we will bring a group claim on behalf of all affected individuals who instruct us.
If you have been notified that you were personally affected by the data breach suffered by Capita in March 2023, have suffered distress or financial loss as a result of the data breach and have not already instructed other solicitors, you may be eligible to join the claim.
The value of the claim is likely to depend on a number of factors, including some specific to your individual situation, including the sensitivity of your personal information accessed, who your information has been disclosed to, the distress caused to you by the breach and whether you have suffered any financial losses.
On the information currently available, we consider that the value of affected individuals’ compensation claims is likely to be over a thousand pounds, after any deduction of our fees.
If you were notified that you were personally affected by the data breach suffered by Capita in March 2023 and wish to instruct us to start investigating and, if appropriate, to bring a claim on your behalf, please click on the button above to “Join the Claim” and complete our sign-up form to become a client by entering into a legally binding agreement for us to act for you.
Frequently Asked Questions
The Capita Group is an outsourcing business that assists a large number of organisations to run their operations. Companies within the Capita Group process personal data on behalf of a range of businesses in both the public and private sector. Capita plc is the ultimate parent company of a large corporate group consisting of multiple legal entities, including Capita Pension Solutions Limited which processes personal information on behalf of over 600 organisations providing pension schemes.
In late March 2023, the personal information of 6.6 million people was stolen by hackers, believed to be part of Russian-based ransomware group Black Basta, from the Capita Group, including the pension records, staff records and customer records of organisations supported by Capita. In particular, the data breach affected 325 of the over 600 organisations providing pension schemes whose personal data was processed by Capita Pension Solutions Limited. Personal data held by Capita Pension Solutions Limited and impacted in the breach, accounted for over 5.7 million of the 6.6 million people whose personal data was impacted by the breach.
The attack began when a malicious file was unintentionally downloaded by a Capita employee on to their device on 22 March 2023. Despite discovering the attack within 10 minutes of the breach, Capita did not quarantine the device for 58 hours, during which time the hackers were able to exploit Capita’s IT systems. Between 29 and 30 March 2023, hackers took nearly one terabyte of data. On 31 March 2023, the hackers then installed ransomware and reset all user passwords so preventing Capita staff from accessing their systems.
While it varied from individual to individual, the categories of personal data taken included the following:
• Name;
• Address;
• International address;
• Email address;
• Phone number;
• Date of birth;
• Child data;
• National Insurance (“NI”) number;
• Driver’s licence / driver’s licence scan;
• Passport number / passport scan;
• Photo ID scan;
• Other national ID / numbers;
• Bank account numbers and sort codes;
• Personal International Bank Account Number (“IBAN”);
• Credit card number / credit card scan;
• Debit card number and CVV / debit card scan;
• Biometrics;
• Employee login details;
• Copies of signatures.
In some cases this included ‘special category information’ including:
• Health information;
• Medical numbers;
• Racial/ethnic origin;
• Political beliefs;
• Religious/philosophical beliefs;
• Trade union membership;
• Sexual orientation;
• Criminal records (“CRB”) checks.
Following a lengthy investigation into the March 2023 data breach suffered by Capita, the Information Commissioner’s Office (ICO) issued a Monetary Penalty Notice (MPN) of the incident on 15th October 2025. To view the MPN, please click here.
The ICO found that Capita failed to implement a range of appropriate technical and organisational measures to safeguard the personal data they held. As a result of these failures, the ICO found that Capita infringed the UK General Data Protection Regulation (GDPR) and fined Capita plc £8 million and Capita Pension Solutions Limited £6 million.
The accompanying statement from the ICO specifically stated “Capita has acknowledged our decision and admitted liability, agreeing to pay a final penalty of £14 million without appealing.” Read More
On the present information, particularly in light of the ICO’s findings, there would seem good grounds for those personally affected by the March 2023 data breach to bring a claim for compensation against Capita, and/or others, for failing to keep the personal data safe. Specifically, the UK GDPR grants individuals the right to claim compensation for financial loss or emotional distress suffered as a result of a data protection law breach.
Those personally affected by the March 2023 data breach suffered by Capita should have been notified by letter or email at some time after March 2023.
For those whose personal information was affected, they are likely to have been notified by the particular organisation on whose behalf Capita were processing their personal information rather than Capita itself. So, for example, many of those affected are likely to have been contacted by their pension provider rather than Capita.
The organisations supported by Capita who it has been reported were affected by the data breach includes those found here.
However, it is likely that this list is incomplete and it is almost certain that there are other organisations, not on the list, who have been affected.
If you have received a letter or email from either the organisation on whose behalf Capita was processing your information or Capita itself at some time after March 2023 saying that you were personally affected by the data breach suffered by Capita in March 2023, you may have a claim for compensation.
This includes a claim for compensation for the distress caused by the data breach even if you have not lost any money.
How much compensation you can claim may depend on a number of factors, including some specific to your situation, such as:
• The sensitivity of the personal information accessed, including whether, for example, this included your bank account details or credit / debit card details.
• How many people had unauthorised access to your personal information and for how long.
• Emotional distress caused by the breach.
• Any financial losses experienced.
On the information currently available, we consider that the value of affected individuals’ compensation claims is likely to be over a thousand pounds after any deduction of our fees.
,
It will be necessary for us to obtain more information from you in due course as part of our investigation of your claim.
We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we are instructing in this matter after we have completed our investigations.
It is too early to provide a timescale for when the matter will be resolved and, if successful, when you may receive any compensation for the data breach. To an extent, this will depend on how Capita respond and whether they wish to mediate or settle the claim.
We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing capitadatabreach@leighday.co.uk
We’ll handle your case under a conditional fee agreement (CFA), which means that you will not have to pay anything upfront and, if you win your case, we will cap our fees at a maximum of 30%, inclusive of VAT, of any compensation you are awarded. Therefore, you will keep at least 70% of any compensation awarded.
While the CFA is a so-called 'no win, no fee' agreement, it is not completely risk-free. The full CFA agreement sets out scenarios where you may become liable for costs even if your claim is unsuccessful. These include, for example:
-
if you decide to discontinue your claim part way through (after the 14-day cooling off period from when you sign up), you may be charged for the costs we have incurred (including a success fee if you then go on to win) and potentially the Defendant’s costs;
-
if you lie to us and / or fail to provide us with instructions so that we end the agreement, you may be charged for the costs we have incurred (including a success fee if you then go on to win) and potentially the Defendant’s costs;
-
if we do not fulfil the terms of the after the event insurance policy and the insurance then does not cover the Defendant’s costs and / or the disbursements that we have incurred on your behalf, you may be liable for these costs if the claim is unsuccessful (although in this situation it is likely that you would be able to make a claim against us / our professional indemnity insurers).
Please ensure you read the CFA agreement fully and understand the risk. If you have any questions about this, please contact us on capitadatabreach@leighday.co.uk .
For general guidance on “no win, no fee” arrangements, please see the following guide prepared by the Solicitors Regulation Authority here.
We are responding to sign-up form completions within 24 to 36 hours. If you have submitted your form during the weekend, please allow an extra day for responses, as we won’t see your details until the following Monday morning.
If you are still to receive a response after the above timescales, please email us at capitadatabreach@leighday.co.uk to check that the details we hold for you are correct.
The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.
You can also reach out if you need assistance at any point of the claims process by emailing capitadatabreach@leighday.co.uk.
We are aware that Capita announced a second data breach in May 2023. The ICO said in a statement that a “second data breach emerged in May when it was reported that the firm had left benefits data fields in publicly accessible storage, prompting several councils to say they thought their data had been compromised.”
It is reported that this second breach affected a number of local councils for whom Capita was processing personal data, including Adur and Worthing Councils, Colchester Council, Coventry City Council, Derby City Council, Rochford District Council and South Staffordshire Council. The personal data affected in this second breach included constituents’ benefit details, including PIP (Personal Independent Payment) information.
At this time, we are not acting for those affected by this separate Capita data breach of May 2023. So, if you were affected by this different data breach, please do not sign up to this claim.
Join the Capita data breach claim
what the directories say
“Sean is very thoughtful. He knows an awful lot about data protection and is very careful with his judgement.”
Chambers and Partners 2025 - Data Protection & Information Law
“Sean Humber is outstanding. Gene Matthews is terrific. Really personably and hugely experienced.”
Legal 500 2025, Group Litigation / Data Protection
Find out more about the news coverage related to this data breach
Capita data breach ‘may affect millions’ - The Times
- Fill out our online enquiry form
- Call us on 0207 650 1091
- Email the team at capitadatabreach@leighday.co.uk.
Our specialist data breach team bring claims against organisations who have failed to adequately protect their customers' personal information and as a result have suffered a data breach.
Our work includes acting for individuals or groups in claims against the government, the police, GPs, hospital trusts, local authorities, the courts as well as private companies.
If you have been personally affected by the data breach suffered by Capita in March 2023 and wish to join the claim, then please fill out our online form to become a client by entering into a legally binding agreement for us to act for you.
Alternatively, if you have any queries, contact the team by telephone on 0207 650 1091 or send an email to capitadatabreach@leighday.co.uk.