The UK Information Commissioner’s Office (ICO) has fined South Staffordshire Water and parent company South Staffordshire Plc £963,900 ($1.3 million) following a cyberattack that exposed the personal data of more than 633,000 customers and employees.
According to the ICO, attackers first gained access to the company’s systems in September 2020 through a phishing email containing a malicious attachment. The malware remained undetected inside the network for roughly 20 months before the attackers escalated privileges and moved deeper into company systems between May and July 2022.
The breach was only discovered after IT performance issues triggered an internal investigation in July 2022. Days later, the company found a ransom note that the attackers had attempted to distribute to employees.
Investigators later confirmed that more than 4.1 terabytes of data had been published on the dark web. The exposed information included customer names, physical addresses, email addresses, phone numbers, dates of birth, usernames, passwords for online services, bank account numbers, and sort codes. Employee data also included HR records and National Insurance numbers.
The ICO said the incident revealed multiple security failures inside the company’s infrastructure. These included inadequate monitoring systems, weak privilege controls, outdated software, and poor vulnerability management practices. At the time of the attack, only around 5% of the company’s IT environment was actively monitored. Some systems were still running Windows Server 2003, which lost extended support years earlier.
Regulators also found that critical vulnerabilities remained unpatched, including the ZeroLogon flaw that attackers later exploited to gain domain administrator privileges. The ICO said the company had not conducted regular internal or external vulnerability scans during the period attackers remained inside the network.
The cyberattack was linked to the Cl0p ransomware group, although the gang initially misidentified the victim publicly as Thames Water. South Staffordshire later confirmed that operational water supply systems were not affected and that drinking water services continued normally during the incident.
The ICO originally planned a larger financial penalty, but reduced the amount by 40% after South Staffordshire admitted liability early, cooperated with investigators, and agreed not to appeal the decision.
ICO Interim Executive Director Ian Hulme criticized the company’s delayed detection capabilities, stating that waiting for performance issues or ransom notes to identify breaches was unacceptable.