What happened, who was affected, and what we can learn…
October was dominated by the long-awaited conclusion of the Capita investigation, one of the UK’s largest corporate breaches in recent years. The ICO issued fines totalling £14 million, sending a clear message that delayed detection and poor internal alert handling are no longer defensible. Meanwhile, Discord and Kido Nurseries demonstrated how third-party and child-data risks remain persistent weak spots across sectors.
The month also saw ongoing regulatory change, with further provisions of the Data (Use and Access) Act 2025 coming into force; introducing new penalty-notice timelines and signalling a stricter enforcement landscape ahead.
Capita PLC/Capita Pension Solutions (CPSL)
Date Reported: 15th October, 2025
No. of UK Individuals Affected: ~6.6 million
Data Exposed or at Risk: Pension records; criminal records; financial and contact data; other special‑category data tied to 325 pension schemes and client staff.
ICO Response: Monetary penalties totalling £14m (£8m Capita PLC; £6m CPSL) following investigation and voluntary settlement signed 10th October, 2025; penalty notice issued 15th October, 2025.
Summary: A March 2023 intrusion was allowed to spread after a malicious file alert went unaddressed for ~58 hours; nearly 1TB of data was exfiltrated before ransomware deployment.
Commentary: This is one of the largest UK datasets exposed in recent years and shows how delayed alert handling and weak privilege controls can turn a single endpoint compromise into a systemic breach.
Discord (Third‑Party Vendor 5CA)
Date Reported: 7th–9th October, 2025
No. of UK Individuals Affected: Unknown UK subset (≈70,000 users globally received notifications).
Data Exposed or at Risk: Names, usernames, emails, partial billing info, IPs, support messages; a smaller set of government ID images used for age‑verification appeals.
ICO Response: ICO stated it is assessing the breach.
Summary: Attackers compromised a support vendor handling age‑verification and customer‑support interactions; Discord revoked access and notified affected users.
Commentary: Outsourced identity proofing concentrates highly sensitive data. UK organisations relying on age/ID checks (e.g., Online Safety Act compliance) should demand zero‑retention designs and contractually mandate vendor breach drill‑downs and kill‑switch access revocation within minutes, not hours.
Kido Nurseries
Date Reported: 2nd October, 2025 (Update; initial ICO notification reported 25th September, 2025).
No. of UK Individuals Affected: ≈8,000 children and family members (UK‑led chain; international footprint).
Data Exposed or at Risk: Names, photos, home addresses; family contacts; alleged safeguarding notes.
ICO Response: ICO notified and reviewing the report.
Summary: After leak samples were posted to extort payment, the group later claimed to delete the data amid backlash; police arrested suspects in October.
Commentary: Child data is exceptionally high‑risk. Early‑years providers should revisit retention (delete photos/notes promptly), segregate safeguarding data, and ensure nursery‑management platforms enforce Multi-Factor Authentication (MFA), IP allow‑listing and tamper‑evident exports.
Insights for UK Organisations
- Vendor concentration risk peaked. Both Discord and Kido highlight exposure via third‑party platforms (support desks; nursery‑management systems). Controllers remain accountable under UK GDPR for processors’ failures; tighten due‑diligence, insist on short retention and run termination drills.
- Penalties favour fundamentals. The Capita decision reads like a checklist of basic controls (alert handling, privilege management, testing) that, if weak, drastically increase sanctions once harm scales.
- Children’s data is a lightning rod. Expect heightened ICO scrutiny and faster police action when minors’ data is involved; reputational harm escalates rapidly and lingers.
Legislative Context
Under the Data (Use and Access) Act 2025 (DUAA) the time allowed to issue a penalty notice after a notice of intent now extends to “six months or as soon as is reasonably practicable,” and the ICO must issue a written “no penalty” notice where applicable.
Alongside updated fining and procedural guidance, the ICO has been consulting on enforcement approaches and “consent‑or‑pay” models; a signal of active policy refinement that organisations should track.
Conclusion
October’s caseload shows the UK risk picture bifurcating: mega‑scale legacy breaches still concluding with heavy sanctions (Capita), while fresh third‑party failures surface at customer‑support and verification providers (Discord) and high‑harm sectors like early years education (Kido). UK organisations should double‑lock vendor risk, accelerate detection/containment SLAs, and reduce sensitive data footprints—especially images and documents collected for verification.
Disclaimer
This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.
Sources:
- Capita Fined £14m for Data Breach Affecting Over 6 Million People
- Capita PLC and Capita Pension Solutions Ltd. – Monetary Penalties
- Capita Cyber Security Breach
- Capita’s £14m ICO Fine – Lessons in Cyber Resilience for Trustees
- Update on a Security Incident Involving Third-Party Customer Service
- 5CA Holding Statement
- ICO Enforcement Action
