In 2025, the Information Commissioner’s Office (ICO) fined Capita £14 million following its 2023 cyber attack, which affected around 6.6 million people.
But none of that £14 million will be paid to victims of the breach.
Here’s what actually happens to ICO fines.
Why the ICO fined Capita
Capita provides administration and support services to hundreds of UK pension providers. In March 2023, it was hit by a ransomware attack, widely linked to the Black Basta group.
Hackers accessed systems used to manage sensitive pension data. Capita confirmed that personal and financial information — including names, addresses, dates of birth and National Insurance numbers — may have been accessed. Some reports indicated that more sensitive data may also have been involved.
After investigating, the ICO concluded that Capita failed to put appropriate security measures in place, leaving personal data at significant risk.
The regulator initially proposed a £45 million penalty, but this was later reduced to £14 million.
“Capita failed in its duty to protect the data entrusted to it by millions of people,” said Information Commissioner John Edwards. “The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
Where does the fine money actually go?
This is the part that often surprises people.
When the ICO issues a fine, that money does not go to the people affected by the breach. The ICO has no legal power to distribute compensation to individuals.
Instead the money is paid to the UK government, via the UK Treasury.
In practical terms, this means that even where millions of people are affected by a data breach, none of the ICO’s fine is shared between them. There is no mechanism for automatic payouts, refunds, or compensation.
The ICO’s role is to regulate and punish non-compliance, not to award compensation.
So, how do victims get compensation?
If you were affected by the Capita data breach, compensation does not come from the ICO fine. But you can pursue it as part of a group claim against Capita, and lawyers are now taking action on behalf of individuals whose data was exposed.
There are no guarantees of compensation, and each claim is assessed on its own facts. That said, the ICO’s findings, which confirmed failures in Capita’s data security, may support claims brought by affected individuals.
This is a completely separate process from the ICO’s regulatory fine.
Why fines and compensation are kept separate
It can feel frustrating that a company can be fined millions, while victims still have to take legal action to seek compensation. But the separation is deliberate.
Regulatory fines are designed to:
- Punish organisations for breaking the law
- Deter poor data protection practices
- Raise standards across the industry.
Compensation claims are designed to:
- Address the individual impact on real people
- Recognise distress, inconvenience, and potential financial harm
- Provide a route to personal redress.
One doesn’t replace the other – and a fine does not prevent affected individuals from bringing a claim.
What this means if you were affected by the Capita breach
ICO fines often make the headlines, but they’re only one part of the picture. If you’ve been told by your pension provider that your data was involved:
- You will not receive money automatically from the ICO fine
- You may still be able to claim compensation through legal action.
If your personal data was exposed in the Capita breach, compensation – if it comes – will come through the courts (or a settlement), not the regulator.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
