Capita is still in dialogue with the Information Commissioner's Office (ICO) following the cyber incident in March 2023, its half-year results have revealed, with a further charge of £3m recognised in the first half of 2025 in relation to the incident.

The provider previously confirmed in April 2023 that it had experienced a cyber incident and that there was evidence of “limited data exfiltration from the small proportion of affected service estate, which might include some customer, supplier or colleague data”.

The group initially suggested that it was expecting to face costs of between £15m-£20m in relation to the cyber incident, although it later increased this estimate to £20m-25m in August 2023.

The group's latest half-year results provided an update on the costs faced as a result of the cyber incident, with a charge of £3m recognised in the six months ending 30 June 2025 in relation to the March 2023 cyber incident, net of insurance receipts.

This pushes the cumulative net costs incurred since the incident in March 2023 to £29.3m, which includes the latest £3m cost, £25.3m incurred in 2023, and £1m in 2024.

"The group has incurred exceptional costs associated with the March 2023 cyber incident," the half-year report stated. "These costs include specialist professional fees, recovery and remediation costs and investment to reinforce Capita's cyber security environment."

In addition to this, Capita confirmed that it is now looking to re-invest in the business, having now begun its planned £50m investment into technology solutions this year, with spending in H1 on its data maturity and governance, investments in product offerings and further enhancements to cyber maturity.

Some pension funds have also provided recent updates on the progress seen since the 2023 incident, as the Environment Agency Pension Fund (EAPF) confirmed in its latest annual reports that whilst monitoring of the situation continues, there has been no evidence of any data leak or misuse to date, nor is there evidence of the data being available illegally on any third-party websites.

"The fund’s management team have continued to work with Capita and our professional advisor throughout to ensure data security measures are as robust as they can possibly be," the report stated.

"This includes a multi-client review of Capita’s current security controls by our professional advisor. The outcome of this was that Capita were given the score of ‘advanced’ across all security domains that were included in the review.

"This work will continue with Capita throughout their cyber transformation programme, so that the management team gain the highest level of assurance on the security and integrity of their systems.

"The fund will continue to utilise external advisers to support with this assurance to always ensure best practice."

However, the EAPF's report suggested that a final conclusion on the incident may be some time away, noting that, to date, the ICO has yet to publish its decision regarding the
incident, nor has there been any specific timeline set.

"However, it’s known that such cyber investigations can take several years to complete (especially with several pension schemes involved and with deeper complexities)," it stated.

"Capita continues to engage with the ICO to fully support their investigation."

The group also confirmed that the Experian membership afforded to members has continued during 2024/25 but will not be extended after it comes to an end in 2025/26, although members will have the option to extend at their own cost.

---