UK regulator fines South Staffordshire Water £963,900 over cyberattack exposing customer data

The Information Commissioner’s Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 following a cyberattack that exposed the personal data of more than 633,000 customers and employees.

The UK data protection regulator said the breach stemmed from a phishing attack in September 2020 that allowed attackers to install malware on the company’s network. The intrusion remained undetected for approximately 20 months before being identified in July 2022 after IT performance issues triggered an internal investigation.

South Staffordshire Water, a regional water supplier serving approximately 1.6 million consumers and delivering 330 million liters of drinking water daily, disclosed in 2022 that it had experienced a cyberattack affecting its IT systems. The Cl0p ransomware group later claimed responsibility for the incident and published samples of stolen data online.

The ICO confirmed the leaked data was authentic and said attackers escalated privileges across the network between May and July 2022, eventually obtaining domain administrator access. Over 4.1 terabytes of information were later published on the dark web between August and November 2022.

Compromised information included full names, postal addresses, email addresses, phone numbers, dates of birth, customer usernames and passwords, bank account details, and employee human resources records, including National Insurance numbers. Information relating to disabilities affecting a small number of customers was also exposed.

The regulator identified multiple security failures that contributed to the breach, including inadequate controls to prevent privilege escalation, limited monitoring coverage across the company’s IT systems, poor vulnerability management, missing security patches, and the continued use of outdated software such as Windows Server 2003.

The ICO said the company’s monitoring systems covered only about 5% of its IT environment, allowing malicious activity to continue unnoticed for an extended period. Ian Hulme, the ICO’s interim executive director for regulatory supervision, said organizations are required to implement proactive cybersecurity measures rather than relying on system disruptions or ransom demands to reveal breaches.

The regulator reduced the original penalty by 40% after South Staffordshire Water and its parent company admitted liability, cooperated with the investigation, and agreed to settle the matter without appeal.

South Staffordshire Water previously stated that the incident did not affect the safety of water supplies and that operational systems remained secure throughout the attack.