The Information Commissioner’s Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees.
The company supplies 330 million liters of drinking water to 1.6 million consumers daily and, in 2022, disclosed that it was the target of a cyberattack that disrupted its IT operations.
At the time, the company dismissed claims from the Cl0p ransomware gang, which claimed the attack (after initially misidentifying their victim), but the leaked data samples appeared genuine.
The ICO’s investigation has now confirmed that the leaked data was indeed authentic, belonging to South Staffordshire Water Plc, and also noted that the compromise had actually started in September 2020.
“We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web,” reads the ICO’s announcement.
“The attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company’s approach to data security and left customers and employees vulnerable for nearly two years.”
According to the ICO, the breach occurred through a phishing attack that enabled the attackers to install malware on the firm’s systems. The malware remained undetected for 20 months.
Between May and July 2022, the attacker escalated privileges across South Staffordshire Plc’s network and gained domain administrator access.
The breach was only discovered in July 2022 after IT performance problems triggered an investigation.
The leaked data included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers.
The ICO has found multiple security failures leading to this data exposure incident, including:
- Insufficient controls to prevent privilege escalation
- Monitoring covered only about 5% of the IT environment
- Use of obsolete software, such as Windows Server 2003
- Poor vulnerability management and missing security patches
- Lack of regular internal and external security scans
These failures constitute a violation of UK data protection requirements, the regulator said, which is why a fine was imposed.
The initial amount was larger, but because South Staffordshire admitted liability early, cooperated with the investigation, and agreed to settle without appeal, the ICO reduced the penalty by 40%.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
