Legal action relating to the 2023 Capita cyberattack continues to move through the courts following a significant High Court ruling earlier this year.
Back in February, the court rejected an attempt by Capita to have the claims struck out at an early stage. That decision allowed the litigation to continue, and the case remains ongoing.
It follows the ICO’s £14 million fine against Capita after regulators concluded the company had failed to put appropriate security measures in place to protect personal data.
Join the Claim is currently working with a partner law firm in relation to this claim and we encourage potentially affected individuals to check whether they may be eligible to join the legal action.
What happened in the High Court earlier this year
In February 2026, Capita asked the High Court to dismiss claims brought on behalf of more than 8,000 people affected by the breach. The company argued that many claimants relied on similar descriptions of distress and anxiety following the incident, and that the claims should not proceed on that basis.
The court disagreed.
The judge ruled that it would be inappropriate to shut down the litigation before the evidence had been properly examined, particularly in a case involving thousands of people affected by the same cyberattack.
The ruling did not determine whether Capita is legally liable, and it did not award compensation.
However, it did confirm that:
- The group legal action can continue
- The claims will now proceed through the normal legal process
- Similar experiences of distress do not automatically invalidate data breach claims
- Large-scale group claims may be harder for companies to dismiss at an early stage.
The decision has since been viewed as an important development for group data breach litigation in the UK.
A reminder of what happened in the Capita breach
Capita provides administration and support services for hundreds of UK organisations, including pension schemes and employers. In March 2023, the company suffered a ransomware attack widely reported to be linked to the Black Basta cybercrime group.
Hackers gained access to systems containing personal information relating to around 6.6 million individuals.
The breach affected hundreds of pension schemes administered by Capita, along with organisations relying on its outsourcing systems.
Some of the stolen data was later reportedly circulated online.
Why was Capita fined £14 million?
In 2025, the Information Commissioner’s Office (ICO) fined Capita £14 million after concluding that the company had failed to implement appropriate cyber security measures. The regulator originally proposed a £45 million penalty, which was later reduced after Capita cooperated with the investigation and improved its systems.
At the time, Information Commissioner John Edwards said: “Capita failed in its duty to protect the data entrusted to it by millions of people.” The ICO concluded that personal data had been left at “significant risk”.
Does the ICO fine mean victims receive compensation?
No. This is a separate issue from the ongoing legal action.
ICO fines are regulatory penalties designed to punish organisations and improve standards. The money paid through a fine goes to the UK Treasury, not to affected individuals. The ICO does not have the power to award compensation to victims of a data breach.
If compensation is ultimately awarded in relation to the Capita breach, it would come through:
- A court judgment
- Or a settlement reached as part of the litigation.
That process is entirely separate from the ICO investigation.
Can affected individuals still join a Capita data breach claim?
Potentially, yes. If you were informed by Capita, your employer, or your pension provider that your personal data may have been involved in the breach, you may still be able to join the legal action.
And, because eligibility criteria and sign-up processes can change as cases develop, if you previously tried to sign up and were unable to, it’s worth checking again.
Find out more about the Capita breach and join thousands of others seeking justice and compensation for the anxiety, inconvenience, and risk caused.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
