Executive Summary
- What’s new: The UK ICO issued £15 million in GDPR fines against Capita and LastPass UK Limited for data breaches resulting from cyberattacks.
- Why it matters: These fines underscore the ICO’s emphasis on data breach enforcement and provide insight into the ICO’s approach to investigations and enforcement.
- What to do next: Companies should consider benchmarking cybersecurity against NCSC guidance, reviewing and updating incident response policies, and weighing the use of privilege in internal security documentation.
__________
In the final quarter of 2025, the UK Information Commissioner’s Office (ICO) issued fines under the General Data Protection Regulation (GDPR) totaling £15 million against Capita plc, Capita Pension Solutions Limited (together, “Capita”) and LastPass UK Limited for data breaches.
The fines provide insight into the ICO’s current approach to enforcement, including its treatment of group revenue. Below, we summarize the key themes from the decisions and important takeaways for all companies.
1. Proactive assessment and handling of cyberrisk is essential.
In fining Capita £14 million on 15 October 2025, the ICO found that personal data had not been adequately protected prior to the attack. Specifically, it determined that inadequate security penetration testing, insufficient security operations center staffing and poor administrator access controls created a “foreseeable and avoidable risk which was exploited by the threat actor.”
While the ICO acknowledged that implementing these measures could be costly and time-consuming, it did not accept these challenges as an explanation for security shortcomings. Organizations with substantial resources (or those handling high-risk data) may want to consider the ICO’s high expectations for proactive and robust cybersecurity risk handling.
Both decisions extensively cite guidance from the UK National Cyber Security Centre (NCSC) in determining what amounts to “appropriate” security measures under the GDPR. When assessing their cybersecurity posture or interacting with the ICO, companies should consider benchmarking their security policies against NCSC guidance.
2. Consider the use of privilege to protect internal documents.
The Capita decision cites internal Capita security documents (e.g., penetration tests) that highlighted weaknesses in the company’s security practices. While it is important for companies to enable their technical teams to undertake robust security testing and openly communicate about and escalate cybersecurity shortcomings, it is vital that the potential legal impact of documenting these findings is considered. Companies should consider implementing methods to limit legal exposure, such as conducting testing under privilege, where appropriate.
3. There is a high bar for considering mitigating factors.
The ICO applies a high standard when evaluating mitigating factors. In fining LastPass £1.2 million on 20 November 2025, the ICO emphasized that although LastPass’ cooperation was “good,” it did not go “beyond what is reasonably to be expected” and so was not a mitigating factor. Likewise, in the Capita decision, the ICO found that issuing a GDPR notification within 14 hours — well before the 72-hour deadline — was not a mitigating factor. Companies should be aware that prompt notification and high resource allocation at the outset of a breach is not enough to constitute a mitigating factor, as the ICO expects continuous prompt and engaged responses. Companies may want to adjust their ICO engagement accordingly.
4. Fines can be assessed on holding or investment companies’ revenue.
LastPass was owned by an investment holding company. Consistent with European Union case law (see this client alert), the ICO based its fine calculation on the global revenue of the holding company (not just the revenue of LastPass), resulting in a significant fine representing approximately 8.5% of LastPass’ turnover. Private equity sponsors and investment companies should note this when considering the budget for portfolio company compliance plans, and when framing which entities form part of their corporate “group” during post-incident communication with regulators.
Immediate Actions for Companies
Given the ICO’s heavy focus on data breach enforcement, companies should consider:
- Benchmarking their technical cybersecurity positions against the NCSC’s guidance.
- Reviewing and updating privacy policies, security testing and incident response plans.
- The wording of internal records and the utilization of privilege.
- Establishing a model for effective engagement with the ICO and other regulators.
- Conducting tabletop exercises to simulate and prepare for data breach scenarios.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.