South Staffordshire Water Fined Nearly £1M for Cybersecurity Failures

Severity: High (Score: 69.0)

Sources: Ico.Uk, Nationaltechnology, Theregister, Therecord.Media

Summary

The Information Commissioner's Office (ICO) has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 due to a serious cyber attack that compromised the personal data of 633,887 individuals. The breach, linked to the Cl0p ransomware group, began with a phishing email in September 2020, allowing malware to remain undetected for 20 months. The hacker escalated privileges within the network by May 2022, leading to the leak of over 4.1 terabytes of data on the dark web. Key failures included inadequate monitoring, unpatched critical systems, and the use of unsupported software such as Windows Server 2003. The ICO's investigation revealed that South Staffordshire did not implement necessary security controls as mandated by UK data protection law. The fine reflects the severity of the breach and the company's lack of proactive security measures. Following the incident, South Staffordshire has made improvements to its cybersecurity posture. Key Points: • South Staffordshire fined £963,900 for failing to secure customer data. • The breach exposed personal information of 633,887 individuals, including sensitive data. • Inadequate security measures allowed hackers to remain undetected for nearly two years.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• South Staffordshire PLC (company)
• South Staffordshire Water (company)
• South Staffordshire Water PLC (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1204 - User Execution (mitre_attack)
• T1486 - Data Encrypted for Impact (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1567.002 - Exfiltration to Cloud Storage (mitre_attack)
• Windows Server 2003 (platform)
• Cl0p (ransomware_group)