South Staffordshire Water Fined £963,900 After Major Data Breach Exposes Customer Details

South Staffordshire Water, comprising South Staffordshire Plc and South Staffordshire Water Plc, faces a £963,900 fine from the Information Commissioner's Office (ICO) after a significant cyber attack compromised customer data. The breach, initially traced to September 2020, saw the personal information of 633,887 individuals exposed and subsequently published on the dark web, primarily between May and July 2022.

The company, which supplies areas including south Staffordshire, Walsall, and north Warwickshire, admitted liability early, reaching a voluntary settlement with the watchdog.

Breach Mechanics and Detection Failures

The attack originated via a phishing email, which enabled the installation of malicious software. This malware remained undetected within the organisation's systems for a staggering 20 months. By May 2022, the perpetrator had navigated the firm's network, acquiring administrator privileges – the highest level of system access.

The breach only came to light on 15 July 2022, when internal investigations were triggered by IT performance issues. A personal data breach was reported days later, and a ransom note, which the hacker had unsuccessfully attempted to send to staff, was discovered on 26 July 2022.

Between August and November 2022, South Staffordshire found that over 4.1 terabytes of data, including customer bank details and staff National Insurance numbers, had been published on the dark web.

ICO Findings and Legal Compliance

The ICO's investigation concluded that South Staffordshire failed to implement adequate security controls as mandated by UK data protection law. This lapse allowed the hackers to gain administrator access and operate largely undetected. The company's minimal monitoring of activities, reliance on obsolete systems, and absence of regular security scans were cited as critical failures.

Ian Hulme, from the ICO, stated that