ICO fines South Staffordshire £963,900 over significant data protection failures

The UK’s Information Commissioner’s Office said it has fined South Staffordshire £963,900 over a data breach incident that compromised the personal information of 633,887 individuals.

 

The information protection watchdog said it issued the fines to South Staffordshire Plc and South Staffordshire Water Plc after finding “significant failures in the company’s approach to data security” that left customers and employees vulnerable for nearly two years.

 

South Staffordshire PLC first announced in August 2022 that it had suffered a ransomware attack that disrupted its corporate IT network but did not affect the usual supply of water to the company’s customers or to those of its subsidiaries - Cambridge Water and South Staffs Water. 

 

The company confirmed later that year that the data security incident had compromised customers’ personal information such as their names and addresses and financial information such as bank sort codes and account numbers of customers who paid their water bills via Direct Debit. South Staffordshire PLC admitted that hackers had published the stolen data on the dark web.

 

The data security incident immediately led to an investigation by the Information Commissioner’s Office, which announced this week that South Staffordshire Plc and South Staffordshire Water Plc failed to implement appropriate security controls that allowed hackers to gain access to their network and steal customers’ personal information.

 

The watchdog noted that the company monitored just 5% of its IT network, thereby failing to detect malicious activity when it first occurred. The company also failed to prevent attackers from escalating to administrator privileges and a lack of vulnerability management practices enabled the attackers to maintain persistence in the network for long periods.

 

The ICO found that the hackers were able to steal the personal information of 633,887 people out of approximately 1.85 million customers whose data was held by South Staffordshire PLC and its subsidiaries. The compromised data included customers’ names, addresses, dates of birth, email addresses, telephone numbers, bank account numbers and sort codes and credentials for South Staffordshire Water online services. The incident also compromised employees’ HR information, including their National Insurance Numbers.

 

“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place,” said Ian Hulme, ICO Interim Executive Director for Regulatory Supervision.

 

The ICO initially intended to fine South Staffordshire around £1.5 million for failing to prevent the incident from occurring, but later applied a 40 percent reduction to the fine after South Staffordshire PLC made an early admission of liability and agreed to pay the penalty of £963,900 without appeal.

 

The company also demonstrated the steps it had taken after the attack to improve its information security practices, the support it offered to customers whose data was compromised, and how it engaged with the National Cyber Security Centre and other regulators.

 

“We welcome South Staffordshire’s early admission and cooperation in this case, allowing us to reach a voluntary settlement and save resources,” Hulme added.