South Staffordshire Water Fined Nearly £1M for Cybersecurity Failures

South Staffordshire Water Fined Nearly £1M for Cybersecurity Failures

First seen 11 May 2026, 11:32 UTC Ico.UkNationaltechnologyComputerweeklyTherecord.MediaTheregister+17 88% similarity 69.0

Article Content

Browse articles
ThreatCluster

The Information Commissioner's Office (ICO) has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 due to a serious cyber attack that compromised the personal data of 633,887 individuals. The breach, linked to the Cl0p ransomware group, began with a phishing email in September 2020, allowing malware to remain undetected for 20 months. The hacker escalated privileges within the network by May 2022, leading to the leak of over 4.1 terabytes of data on the dark web. Key failures included inadequate monitoring, unpatched critical systems, and the use of unsupported software such as Windows Server 2003. The ICO's investigation revealed that South Staffordshire did not implement necessary security controls as mandated by UK data protection law. The fine reflects the severity of the breach and the company's lack of proactive security measures. Following the incident, South Staffordshire has made improvements to its cybersecurity posture.

Key Points: • South Staffordshire fined £963,900 for failing to secure customer data. • The breach exposed personal information of 633,887 individuals, including sensitive data. • Inadequate security measures allowed hackers to remain undetected for nearly two years.

ThreatCluster AI

Timeline

2020-09-01
Phishing email initiated cyber attack
A phishing email allowed the attacker to install malware, starting the breach that lasted until 2022.
Ico.Uk
2022-05-01
Hacker escalated privileges
The attacker gained domain administrator privileges, allowing deeper access to the network.
Ico.Uk
2022-07-15
Breach detected during performance issues
An internal investigation was initiated due to IT performance problems, leading to the discovery of the breach.
Ico.Uk
2022-07-24
Breach reported to ICO
South Staffordshire reported the personal data breach to the ICO, revealing the extent of the compromised data.
Ico.Uk
2022-08-01
Data leaked on dark web
The personal information of 633,887 individuals was published on the dark web, including sensitive data.
Theregister
2025-12-01
ICO announced intent to fine
The ICO informed South Staffordshire of its intention to impose a fine due to security failures.
Ico.Uk
2026-05-11
Fine issued
The ICO officially fined South Staffordshire £963,900 for their cybersecurity failures.
Ico.Uk

Community

Browse all →