12.05.2026
3 min
147
The British regulator has fined South Staffordshire Water after a massive breach of personal data of hundreds of thousands of people. The attackers remained undetected inside the company’s network for almost two years.
A UK regulator has penalized South Staffordshire Water Plc and its parent South Staffordshire Plc £963,900 for one of the largest data breaches in history involving customer and staff records. An estimated 633,887 individuals are likely to be impacted by this massive breach.
This penalty was issued by the UK Information Commissioner’s Office (ICO), which stated that the company suffered through a series of significant violations of cybersecurity that enabled an attacker to live off the land within the company’s IT infrastructure for multiple years.
South Staffordshire Water provides approximately 1.6 million customers with potable water each year and delivers over 330 million liters of water daily. The company notified authorities of the cybercrime attack in late 2022 when the attack interfered with its business operations.
At the time of the notification of the attack, Cl0p Group publicly took credit for the attack. Initially, South Staffordshire Water Plc refused to acknowledge that the hack occurred due to mistaken identity naming another victim. This all changed once the organization released examples of stolen data and it was obvious that South Staffordshire Water Plc had indeed experienced a legitimate breach.
After completing an investigation into the breach, the ICO confirmed that the published personal identifiable information belonged to South Staffordshire Water Plc. Further investigations revealed that unauthorized access to the company’s IT network began on or about September 25th, 2020.
“Following our investigation, we have imposed fines totaling £963,900 on South Staffordshire Plc and South Staffordshire Water Plc for their failure to protect sensitive customer data, resulting in a cyber-attack where the personal data of 633,887 people was stolen and posted on the darknet.”
Further comments from the regulatory body pointed out several areas where the company failed to follow best practices related to protecting customer data. The primary issue identified by the ICO is that South Staffordshire Water Plc’s response to the incident showed a significant deficiency in how they addressed data protection issues during the incident.
In summary, according to the ICO, the beginning of the hacker’s invasion started with an email-based phishing campaign. Following successful exploitation of the phishing emails via malware, it is believed that the hackers had malicious code present on their network for almost two years before discovering it. During this period of time (May – July 2022) the hackers continued to elevate their levels of access until they ultimately obtained Domain Administrator access to the network. The discovery of the breach was triggered by a combination of both poor IT performance and an internal investigation conducted by South Staffordshire Water Plc.
The following types of information were included in the breach:
Full name;
Home address;
Email address;
Telephone number;
Date of birth;
Bank account details;
Account login credentials;
Employee Human Resource (HR) information including National Insurance Numbers.
The ICO also noted that there were many technical issues with South Staffordshire Water Plc’s security systems. Specifically, the security team had:
Poorly configured access control;
Limited monitoring (approximately 5%);
Legacy systems still running on outdated software including Microsoft Windows Server 2003;
Issues with keeping systems up-to-date and managing vulnerabilities;
No regularly scheduled internal or external audits to test their security posture.
All of these deficiencies constituted a direct violation of UK Data Protection Law according to the ICO.
The original fine would have been larger than the current fine since South Staffordshire Water Plc received a discount of 40 percent on their fine. The reason for this discount was because South Staffordshire Water Plc accepted responsibility for the breach and cooperated fully with the investigation.
