The Information Commissioner’s Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) for a cyber attack that exposed the personal data of 663,887 customers and employees.
The company supplies 330 million liters of drinking water to 1.6 million consumers every day and, in 2022, disclosed that it was the target of a cyberattack that disrupted its IT operations.
At the time, the company dismissed the claims of the Cl0p lahlengware gang, which claimed to have been attacked (after initially not identifying its victim), but the leaked data samples appear to be genuine.
An ICO investigation has now confirmed that the leaked data was indeed genuine, belonging to South Staffordshire Water Plc, and noted that the compromise had started in September 2020.
“We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack which resulted in 633,887 people’s personal information being leaked and published on the dark web,” reads the ICO’s announcement.
“This attack, which may date back to September 2020 but most likely occurred between May and July 2022, exposed a major failure in the company’s data protection approach and left customers and employees vulnerable for nearly two years.”
According to the ICO, the breach occurred through a phishing attack that enabled attackers to install malware on the company’s systems. The malware remained undetected for 20 months.
Between May and July 2022, the attacker escalated privileges across South Staffordshire Plc’s network and gained domain administrator access.
The breach was discovered in July 2022 after IT performance issues prompted an investigation.
Leaked information included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account details, bank account details, and employee HR data such as National Insurance numbers.
The ICO found several security failures leading to this data disclosure incident, including:
- Inadequate controls to prevent privilege escalation
- Monitoring covers only 5% of the IT environment
- Use of outdated software, such as Windows Server 2003
- Poor vulnerability management and missing security patches
- Lack of standard internal and external security scanning
This failure constituted a breach of UK data protection requirements, the regulator said, hence the fine.
The original amount was high, but because South Staffordshire admitted liability early, cooperated with the investigation, and agreed to settle without appeal, the ICO reduced the fine by 40%.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
