The UK Information Commissioner’s Office fined South Staffordshire Water Plc and its parent company, South Staffordshire Plc, £963,900 ($1.3 million) for violations of the UK Data Protection Act 2018, after a cyberattack exposed the personal records of 663,887 customers and employees.
The compromise began in September 2020, when attackers gained access via phishing and installed malware that sat undetected for 20 months. Between May and July 2022, the attacker escalated privileges across South Staffordshire’s network and reached domain administrator level.
The company, which supplies 330 million liters of drinking water daily to 1.6 million consumers, didn’t discover the breach until July 2022, when IT performance problems triggered an investigation.
The ICO confirmed the Cl0p ransomware gang carried out the attack; Cl0p had initially misidentified its victim before publicly claiming responsibility. The exfiltrated data, published to the dark web, included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee National Insurance numbers.
The ICO cited systemic security failures: monitoring covered only about 5% of the IT environment, the company ran obsolete software including Windows Server 2003, vulnerability management was poor, and there were no effective controls against privilege escalation.
The original fine was higher. South Staffordshire won’t appeal: the company got a 40% reduction for admitting liability early, cooperating with the investigation, and agreeing to settle. Payment of £963,900 is the final step.
James Okafor