Strike Out Denied: Case Management Applied

24 February 2026

High Court refuses strike-out of group data breach claims in Spurgeon v Capita plc [2026] EWHC 241 (KB)

By a decision of 9 February 2026, Master Dagnall refused Capita’s (the Defendant’s) application to strike-out 3,973 claims arising from a cyber-attack, reinforcing the message that strike out for abuse of process is draconian and a remedy of last resort. The decision provides guidance and some warnings for solicitors handling large-scale data breach litigation.

Background

The Claimants alleged breaches of the Data Protection Act 2018 and EU and UK GDPR and sought damages including for distress arising from a cyber-attack which occurred between 1 November 2022 and 31 May 2023 and in which unidentified cyber criminals accessed and/or exfiltrated personal data of at least some of the Claimants. Capita primarily alleged that the Claimants’ solicitors had improperly advanced assertions within the Particulars of Claim regarding the mental consequences allegedly sustained by the Claimants in such a way as to taint their clients’ beliefs and evidence as to them and such that the entirety of the Claims had become an abuse of process (“the Abuse Ground”). A further ground contending the Claimants’ solicitors did not have proper instructions for some Claimants (“the Authority Ground”) was not ultimately pursued.

The Decision

The Court rejected the application. Placing significant emphasis on the distinction between pleadings on the one hand, and witness statements or evidence, on the other, the Court held that counsel has a wide latitude to consider how to formulate into the form of a pleading what is being said in instructions and as to how they seek and receive instructions. It was legitimate to use repetitive or generic phrases where the client properly authorises that. The Court went so far as to say that in group litigation, “At first sight, there is good reason to adopt a costs-limited course of adopting a generic allegation of facts provided that each individual claimant is prepared to assent that they believed that allegation as far as they are concerned…” (§193).

The Court decided that to strike out the Claims would be to deny the Claimants recourse against the Defendant for what in some cases was an admitted breach (giving rise to claims for damages which would seem to have a real potential foundation) and where in other cases, while liability was in issue, the abuse had nothing to do with the liability aspect.

The Master did, however, express that he was “distinctly concerned” by the wordings used in the Particulars of Claim and Tables which seemed “likely to obstruct the just disposal of proceedings”. Those words were “tormented”, “violation of security” and “betrayal of trust”, which could have a range of meanings such that they were unclear, and they had caused significant dispute already in the litigation (see §§200-209). However, this was best addressed at a consequentials hearing. It was noted in the Judgment that concerns about authority and lack of individual detail could be resolved through procedural tools such as Part 18 requests for information, further witness statements or amendment to pleadings. There would also be opportunities for the Defendant to cross examine the Claimants at trial as to the fact and extent of damage. These measures would allow proper scrutiny without prematurely terminating the Claims.

Practical Implications / Points to Note

The Court observed that this was “one of a considerable number of data protection breach claims…involving high, or very high, numbers of individual claimants” (§53). This is an area of increasing litigation.
For claimant solicitors, the decision confirms that large group claims will not automatically fail due to generic pleadings, provided they are properly authorised by individual claimants and any deficiencies are subsequently addressed.
For defendant solicitors, procedural challenges are likely to be more effective than strike-out applications when addressing generic or deficient pleadings.
All solicitors should have regard to the Court’s expressed concerns not only as to the costs of this litigation but “The fact that this litigation should be a question of to what remedy (if any) the individual claimants are each entitled, but where the hearing before me has been much of a battle between lawyers, and which seems to be a feature of other litigation…This may be due…to a belief on the defendant’s part of solicitors treating data breaches as an opportunity to generate claims and fees, and a counter from claimants that defendants are seeking to make suing too difficult in practice for claimants to obtain their proper compensation…I can merely remind all that the overriding objective is aimed at resolving disputes justly and at proportionate cost” (§234).
Generally, the courts favour active case management over early strike-out in this type of multi-claimant data breach action.
Reliance was placed by the Court in this decision on Farley v Paymaster [2025] EWCA Civ 1117, which is subject to appeal to the Supreme Court. The progress of the appeal should be kept under review.