UK ICO fines South Staffordshire Water £963,900 after cyberattack exposed data of 664k customers

At a glance:

• The ICO fined South Staffordshire Water Plc and its parent company £963,900 ($1.3 million) after a phishing attack exposed personal data of 663,887 customers and employees.
• The breach began in September 2020, went undetected for 20 months, and was only discovered in July 2022 after IT performance issues triggered an investigation.
• Security failures included obsolete Windows Server 2003, monitoring of only 5% of the IT environment, and poor vulnerability management — all violations of UK data protection rules.

What happened

The UK's Information Commissioner's Office has imposed a £963,900 ($1.3 million) penalty on South Staffordshire Water Plc and its parent company South Staffordshire Plc following a cyberattack that compromised the personal data of 663,887 individuals. The regulator confirmed that leaked data samples, which had earlier been dismissed by the company, were in fact authentic. The attack traced back to September 2020 but largely unfolded between May and July 2022, meaning customers and employees were left vulnerable for nearly two years before the breach was finally detected.

South Staffordshire Water supplies 330 million liters of drinking water to 1.6 million consumers every day, making it a critical infrastructure operator. In 2022 the company disclosed that it had been targeted by a cyberattack that disrupted its IT operations. At the time, the firm pushed back against claims from the Cl0p ransomware gang, which had initially misidentified its victim, arguing that the leaked data was not genuine. The ICO's subsequent investigation proved otherwise.

How the breach unfolded

According to the ICO, the attack began with a phishing campaign that gave attackers a foothold inside the company's systems. Once inside, the threat actors installed malware that remained undetected for 20 months. Between May and July 2022 the attackers escalated their privileges across South Staffordshire Plc's network and ultimately gained domain administrator access. The breach was only discovered in July 2022 after IT performance problems prompted an internal investigation.

The data that was extracted and published on the dark web was extensive. It included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers. The ICO described the exposure as a serious violation of UK data protection requirements.

Security failures identified

The ICO identified multiple systemic security failures that contributed to the data exposure. These included:

• Insufficient controls to prevent privilege escalation
• Monitoring that covered only about 5% of the IT environment
• Use of obsolete software, such as Windows Server 2003
• Poor vulnerability management and missing security patches
• Lack of regular internal and external security scans

Together, these gaps meant that the attackers could move laterally, escalate privileges, and exfiltrate sensitive records without triggering meaningful detection mechanisms. The regulator noted that the company's approach to data security was fundamentally inadequate for an organization holding such large volumes of personal and financial information.

The penalty and settlement

The ICO originally calculated a higher penalty, but reduced it by 40% because South Staffordshire admitted liability early, cooperated fully with the investigation, and agreed to settle without appeal. Even with the reduction, the £963,900 fine reflects the seriousness of the incident and the prolonged window during which data was exposed.

This case underscores a broader trend of the ICO taking a firmer stance on critical infrastructure operators that fail to maintain baseline cybersecurity hygiene. For water utilities and other essential services, the regulator expects robust patch management, comprehensive monitoring, and proactive vulnerability scanning — not just reactive incident response.

What to watch next

The outcome sets a precedent for how the ICO may treat other critical infrastructure breaches involving prolonged dwell times and legacy technology. Organizations running obsolete platforms such as Windows Server 2003 — which reached end of support years ago — face heightened regulatory risk. Security teams at utilities, healthcare providers, and local government bodies should review their monitoring coverage, privilege-access controls, and patch cadence in light of this enforcement action.

The Cl0p ransomware gang's involvement also highlights the evolving threat landscape for UK water and energy companies. Ransomware operators have increasingly targeted critical infrastructure, and regulators are paying closer attention to whether victim organizations took reasonable steps to prevent or limit the damage.