The UK Information Commissioner’s Office has fined South Staffordshire Water Plc and its parent company South Staffordshire Plc £963,900, or about $1.3 million, after a cyberattack exposed the personal data of 663,887 customers and employees.

South Staffordshire Water supplies around 330 million liters of drinking water every day to 1.6 million consumers. The company first disclosed in 2022 that it had suffered a cyberattack that disrupted its IT systems. At the time, the Cl0p ransomware gang claimed responsibility, although it initially appeared to misidentify the victim. South Staffordshire dismissed some of the claims then, but leaked data samples later appeared to be genuine.

The ICO has now confirmed that the leaked information was authentic and belonged to South Staffordshire Water. Its investigation found that the compromise began as far back as September 2020, leaving customers and employees exposed for nearly two years before the incident was discovered.

According to the ICO, the attack started with a phishing email that allowed hackers to install malware on the company’s systems. That malware remained undetected for 20 months. Between May and July 2022, the attackers escalated their privileges across South Staffordshire’s network and eventually gained domain administrator access.

The breach was only uncovered in July 2022 after IT performance issues led the company to investigate its systems. By that point, attackers had already extracted and published sensitive data on the dark web.

The exposed information included full names, home addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR records, including National Insurance numbers.

READ
WhatsApp Fixes Privacy Flaw That Could Reveal If Someone Blocked You

The ICO said the breach highlighted serious weaknesses in South Staffordshire’s security practices. Investigators found that the company did not have enough controls in place to prevent privilege escalation, monitored only around 5% of its IT environment, used outdated software including Windows Server 2003, failed to properly manage vulnerabilities and missing patches, and did not carry out regular internal and external security scans.

The regulator said these failures breached UK data protection rules and left hundreds of thousands of people at risk. The original fine was higher, but the ICO reduced the penalty by 40% after South Staffordshire admitted liability early, cooperated with the investigation, and agreed to settle without appealing.


Buy ExpressVPN with PayPal or Credit Card

Advertisement