The Information Commissioner’s Office (ICO) has fined South Staffordshire Water PLC and South Staffordshire PLC nearly £1 million over a cyber attack that leaked the personal information of hundreds of thousands of people.

The breach began with a successful phishing email sent in September 2020 that allowed the hacker to install malware that remained undetected for 20 months. In May 2022, the hacker moved through the system, granting themselves the highest level of access available.

Throughout their time on the network, the hacker distributed more than 4.1 terabytes of data to the darkweb, leaking the personal information of 633,887 customers and staff. The information included national insurance numbers, bank account details and full names and addresses.

The ICO found that South Staffordshire had failed to implement appropriate security controls, as required under UK data protection law. Its failures included inadequate monitoring and logging of the IT environment, use limited controls on movement inside the network and inadequate vulnerability management, including unpatched critical systems and the absence of regular security scans.

The company was also found to use obsolete, unsupported software on some devices, including Windows Server 2003, which stopped being officially supported by Microsoft in 2015.
The fine totals £963,900, a 40 per cent reduction from its initial value due to the company’s cooperation. The ICO also acknowledged improvements made to South Staffordshire’s software after the attack.

"Customers do not have the choice over which water company serves them – they are required to share their personal information and place their trust in that provider,” said Ian Hulme, interim executive director for regulatory supervision at the ICO. “It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.

"The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations – and particularly those handling large volumes of personal information as part of critical national infrastructure – to have these in place.

“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."

---