British privacy watchdog has fined a South Staffordshire water supplier nearly £1 million following a multi-year cyber intrusion that leaked the personal information of over 630,000 customers and employees.
The U.K.’s Information Commissioner’s Office (ICO) ordered South Staffordshire Plc and its subsidiary South Staffordshire Water Plc to pay $1.3 million (£963,900) for failing to detect an attacker for close to two years, resulting in the personal information of hundreds of thousands being published on the dark web.
U.K. water supplier failed to detect a hacker for nearly 2 years
According to the privacy watchdog, the attacker gained initial access via email phishing around 2020 by tricking the victim into installing malicious software. Previous reports had indicated that the threat actor may have obtained access through initial access brokers (IABs).
Between September 2020 and July 2022, the attacker remained undetected and escalated privileges to gain the highest administrative rights by compromising the domain controller and traversing across the entire network.
The attacker was only detected on July 15, 2022, due to network performance issues, which triggered a postmortem. The water supplier notified ICO of the breach on July 24, 2022. Between May and July 2022, the attacker exfiltrated 4.1 terabytes of data and attempted to extort the water supplier by distributing a ransom note around July 26, 2022.
The Cl0p ransomware gang took responsibility for the data breach and published the stolen data on a dark web leak site between August and November 2022. The hacking group had previously misidentified the victim organization as Thames Water and accused it of refusing to negotiate.
For most victims, the data breach exposed their full names, physical addresses, email addresses, dates of birth, gender, and telephone numbers. It also exposed employees’ National Insurance numbers, customer account information, including usernames and passwords for online services, bank account numbers, and sort codes.
In some cases, the data breach also leaked Priority Services Register information, which could identify individuals with various disabilities.
“Critical Infrastructure is a huge attack surface. Everyone in CI sectors should at least meet table stakes security. ‘You must be this tall to ride,’” said Josh Marpet, Senior Product Security Consultant, Finite State. “Multi-factor authentication, asset inventory, solid change management, software and firmware security, and third-party risk management are some of this.”
ICO fines South Staffordshire water supplier $1.3 million
ICO determined that the water supplier violated the UK’s data protection laws by failing to implement appropriate security controls, resulting in the personal information of 633,887 people leaking online.
The privacy watchdog found that inadequate controls enabled the threat actor to escalate privileges after gaining initial access. Similarly, inadequate monitoring and logging enabled the attacker to remain undetected for nearly two years, as only 5% of South Staffordshire’s IT infrastructure was being monitored.
“South Staffordshire Water had malware sitting undetected in its environment for 20 months,” said Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs. “The breach was discovered because systems slowed down, not because anyone was looking.”
Additionally, the water supplier used outdated software, such as Windows Server 2003 and lacked adequate vulnerability management, including patching critical systems.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks,” said Ian Hulme, ICO Interim Executive Director for Regulatory Supervision. “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
Meanwhile, South Staffordshire has received a 40% discount, bringing the total fine to $1.3 million or £963,900 after admitting guilt and submitting a list of actions it took to address the data breach. The water supplier has also indicated it intends to pay the fine voluntarily.

