The data protection watchdog the ICO has fined the water company South Staffordshire £963,900, for current and former customers, elderly and disabled people on the Priority Services Register, and current and former employees having their details published on the dark web.
How it happened
The attack can be traced back to a September 2020 phishing email, says the ICO. It came with an attachment which when opened enabled the attacker to install malicious software which remained undetected within the utility’s systems for 20 months, termed ‘negligent’ by the privacy watchdog. Until May 2022, when the hacker moved through the network and compromised domain administrator privileges — the highest level of system access to the IT network.
The breach was only identified when ‘marked IT performance issues’ prompted an internal investigation that began on July 15, 2022. The company reported a personal data breach to the ICO on July 24, 2022. Then, on July 26, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to some of the utility’s staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.
Numbers
At the time of the attack, South Staffordshire held personal information relating to about 1.85 million customers — around 750,000 current and 1.1 million former — as well as 2,791 former employees and 2,298 current employees. The breach resulted in the personal information of 633,887 people being subsequently published on the dark web in August 2022. South Staffordshire notified 390,628 data subjects of the personal data breach; mainly in November 2022 to those customers whose bank account, sort code and current address was on the dark web, making them at risk of fraud. South Staffordshire provided employees and those customers it had notified with a free 12-month subscription to a credit monitoring service. Although the ICO received complaints from data subjects that they have suffered distress as a result of the publication of their personal data on the dark web, these complaints ‘have not been interrogated’ by the ICO.
Failings
Among its failings, the water firm was according to the ICO as of December 2021 only, through a third-party security operations centre, monitoring five per cent of its IT. Nor did the water firm keep to the principle of ‘least privilege’ – keeping staff to only the IT permissions they needed. As for managing its IT risks, the water firm admitted to the regulator that it had no external or internal vulnerability scans to show between September 2020 and May 2022.
What ICO says
Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said: “Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
The ICO and South Staffordshire agreed a voluntary settlement in April 2026.
About the firm
South Staffordshire serves about 1.6 million people in parts of Staffordshire, and the West Midlands. Visit https://www.south-staffs-water.co.uk/. Its turnover is about £385m.
