Scottish residents granted permission for group action against Capita

Capita could face a group legal action from people living in Scotland who were affected by a 2023 breach of its systems after a judge in the highest civil court granted permission, opening a route to compensation for thousands of people residing in the country.

According to a Scottish Legal News report, Supreme Court judge Jonathan Lake gave permission for group proceedings against Capita in relation to compensation claims surrounding the 2023 data breach in Capita’s pension business.

Separately, a February group data breach claim against Capita from 8,000 alleged victims of the data breach was given permission to proceed after the court rejected a submission from Capita that the case was an abuse of process.

The Information Commissioner’s Office (ICO) said six million people were affected after the Black Basta ransomware cyber attack in March 2023 saw information stolen, including pension and staff records, and details of Capita’s customers.

Last year, the ICO fined Capita £8m and Capita Pension Solutions £6m for failing to ensure the security of processing of personal data, which left it at significant risk. It added that the company did not have the “appropriate technical and organisational measures” to respond effectively.

The incident caused major IT outages and had a significant impact on customer-facing services at many public sector bodies and some operators of critical national infrastructure across the UK, with staff left unable to take calls from members of the public and others falling back on traditional pen and paper.

A total of 325 organisations, which are customers of Capita, were affected by the data breach, said the ICO. Among the organisations affected were several councils, including the London boroughs of Barnet and Barking and Dagenham, which were forced to suspend their call centre operations.

Dominic Ritchie, partner at law form Jones Whyte, which is representing victims of the cyber attack, said: “This is the moment affected individuals in Scotland have been waiting for. The data stolen in this breach was deeply personal – including pension details, National Insurance numbers and dates of birth.

“The impact on those affected has been very real, and today’s ruling gives them a genuine path to compensation. We would urge anyone who believes they may have been affected not to delay and to come forward as soon as possible to give themselves the best opportunity to pursue compensation.”

Speaking last year after the fine related to the 2023 attack, Adolfo Hernandez, CEO at Capita, said: “When I joined as CEO the year after the attack, I accelerated our cyber security transformation, with new digital and technology leadership and significant investment. As a result, we have hugely strengthened our cyber security posture, built in advanced protections and embedded a culture of continuous vigilance."

But Capita’s pensions business suffered a breach again in March this year when the Civil Service Pension Scheme, which Capta took of the administration of in December, was hit by a data breach affecting 138 members. According to the outsourcer, the issue led to scheme members being able to view personal annual benefit statements that were not their own.

A Capita spokesperson said at the time: “We are aware of an issue that occurred on the CSPS member portal for around 35 minutes on 30 March 2026, affecting the accuracy of a small number of annual benefit statements generated in this period.”