UK Pensions: What’s new this week? October 20, 2025

ICO issues GBP14 million fine for cyber attack

The Information Commissioner’s Office (ICO) has imposed a GBP14m fine on the Capita group in respect of breaches of the UK General Data Protection Regulation (GDPR), following a cyber-attack in April 2023.

The incident began with a threat actor (an individual or group that intentionally causes harm to digital services or systems) gaining access to the Capita network following the download of a malicious file onto an employee device.

The threat actor then gained access to an administrator account with higher privileges and moved across the network, allowing it to gain access to the data of over six million people (including sensitive and special category data), disrupt Capita’s systems and deploy ransomware.

The ICO identified two overarching failures, which constituted breaches of the GDPR requirements to ensure appropriate security of personal data using appropriate technical and organisational measures:

• Failure to prevent privilege escalation and unauthorised lateral movement. Capita had not implemented suitable systems to protect against accounts being able to gain extra access privileges and move around within the network. Penetration tests in 2022 and 2023 had already flagged that this was an issue, but no action had been taken to remedy this.

The ICO accepted that it may not be practical to conduct penetration tests on every system in a network, but considered that systems which process significant amounts of personal data, especially sensitive or special category data, should have been subject to penetration tests. In the alternative, Capita should have ensured that learnings from tests conducted in other systems which impact the entire network should have been disseminated to each relevant legal entity and implemented across the network.

The ICO was mindful of Capita’s size and resources and believed that it was reasonable to expect Capita to go further in keeping its personal data secure than may be expected from a smaller and less well-resourced organisation.

• Failure to respond effectively to security alerts. A high-severity alert was not effectively actioned for around 58 hours. Under its Service Level Agreement (SLA), Capita should have dealt with the alert within one hour of its creation. It took the threat actor four hours to gain privileged access to the network. The ICO found that if the alert had been responded to in line with industry standards and Capita’s SLA, it would have prevented the threat actor from being able to access and exfiltrate the affected data.

In investigating this failure, the ICO found that Capita’s security operations centre was under-resourced, had frequently missed its own SLA targets for alerts since 2022, did not adequately escalate alerts and relied on manual, rather than automated, processes.

Although multiple Capita entities were involved in the incident, the ICO focused its attention on Capita plc (as a data controller) and CPSL (as a data processor). This was on the basis that Capita plc bore overarching responsibility for group-wide data protection and security standards, and CPSL (although it had a lower degree of responsibility for security measures) processed the overwhelming majority of exfiltrated records for pensions clients. The ICO considered this approach effective and proportionate, while recognising the linked nature of the processing within the group and avoiding ‘double counting’. 

The ICO considered a range of aggravating and mitigating factors when deciding on the penalty, including: the large number of data subjects affected; the level of damage suffered (although the evidence did not show significant actual harm, the ICO considered that the very large number of data subjects affected by the infringement and the type of data at issue gave rise to significant potential for damage); the negligent nature of the infringements, given Capita had been made aware of the weaknesses in its systems; steps taken by Capita to mitigate the impact; Capita’s size, resources and identity as an expert; and the degree of cooperation with the ICO and other authorities and regulators. The Commissioner did not consider the absence of any previous infringements to be a mitigating factor because ‘compliance with the UK GDPR and DPA 2018 is to be expected.’

The case demonstrates the importance of robust cyber security practices. The penalty notice highlights that the average breakout time for a threat actor is now one hour and 58 minutes. Given these short windows for action, ‘it is critical that organisations aim to respond to security alerts quickly to avoid serious risk.’

Read the penalty notice.

TPR: Latest DC survey

The Pensions Regulator (TPR) has published the results of its latest DC survey (involving interviews with 200 trust-based occupational DC schemes). Key findings include:

• 22% of schemes demonstrated all of the elements associated with assessing value for members.
• 27% of schemes, including all master trusts, are already offering decumulation benefit options for members, in advance of the new requirements in the Pension Schemes Bill to provide default decumulation solutions. These options were more commonly offered via partnership arrangements rather than in-scheme.
• 9% of schemes had started the process of transferring members to a master trust or planned to do so.

The survey demonstrated a consistent theme of performance improving in line with scheme size.

Read the survey.

Pensions UK guides on master trust transfers, DB run-on and AI

Pensions UK has published new ‘made simple’ guides covering:

• Master trust to master trust transfers – this guide discusses the drivers for transitions from one master trust to another (for example, investment strategy and availability of retirement product solutions) and the practical, legal and other considerations involved. It includes a checklist of key issues to assist with early planning.
• DB run-on – this guide looks at factors for employers and trustees to consider when weighing the options of moving to buy-out or running on; issues around using and sharing surplus; investment strategies; member security and operational considerations.
• Artificial intelligence for UK pension schemes – this guide includes a jargon-buster and looks at use cases and practical applications of AI for pension schemes.

Read the guides on master trust to master trust transfers, DB run-on and AI for UK pension schemes.