Capita flagged to ICO again

Capita has been reported to the U.K. Information Commissioner’s Office again after a Civil Service pension portal error exposed some members’ personal data for about 35 minutes on March 30. (theregister.com) Capita said 138 members either saw another person’s Annual Benefit Statement data or had their own data seen by someone else. The company suspended that statement function, told affected members, and opened an investigation. (theregister.com) The Information Commissioner’s Office told The Register it had received a report about the incident and was “assessing the information provided.” The Cabinet Office said it was taking the breach “extremely seriously” and would consider further action. (theregister.com) The new report lands six months after the regulator fined Capita £14 million over its 2023 cyberattack. On October 15, 2025, the ICO said hackers stole personal data linked to 6.6 million people, including pension records, staff records, financial data and some special-category data. (ico.org.uk) That 2025 penalty was split between Capita plc and Capita Pension Solutions Limited, at £8 million and £6 million. The ICO said 325 organisations using Capita’s pension services were affected and said the company had failed to put in place appropriate security and response measures. (ico.org.uk) The latest problem involves the Civil Service Pensions Scheme, which Capita took over on December 1, 2025. Capita said in March it had inherited 86,000 work-in-progress cases and more than 15,000 unread emails from the previous provider. (capita.com) That contract has already been under pressure for service delays. Capita said more than 250,000 members had registered for the portal and that newly retired members had faced delays to some pension quotes and payments. (capita.com) Capita says it has overhauled its cyber defenses since the 2023 attack, including tighter privileged-access controls, a new security operations setup, and mandatory staff training. It also says it worked with the ICO during the earlier investigation and reached a voluntary settlement over the 2025 fine. (capita.com, ico.org.uk) For now, the immediate question is whether the latest portal error remains a contained reporting issue or becomes another formal enforcement case. The ICO has said only that it is assessing the information Capita provided. (theregister.com)