South Staffordshire Water has been ordered to pay a penalty of £963,900 by the Information Commissioner's Office (ICO) following a significant cyber attack that compromised the personal data of hundreds of thousands of customers. The breach, which occurred over a period largely between May and July 2022, saw the personal information of 633,887 individuals accessed and subsequently published on the dark web.
The water company, which comprises South Staffordshire Plc and South Staffordshire Water Plc, serves areas including south Staffordshire, Walsall, Dudley, north Warwickshire, north Worcester, and south Derbyshire. The ICO's investigation revealed that the cyber attack was initiated through a phishing email, which allowed malicious software to be installed on the company's systems. This software remained undetected for an extensive 20-month period.
In May 2022, the attackers escalated their access, gaining administrator privileges within the firm's network. This level of access provided them with the highest degree of control over the IT network, according to the ICO's findings. The breach was only brought to light when internal IT performance issues prompted an investigation on July 15, 2022.
South Staffordshire subsequently reported the personal data breach a few days later. By July 26, 2022, the company discovered evidence of a ransom note that the hacker had attempted to send to specific employees. This discovery marked a critical point in identifying the extent of the compromise.
Further investigation between August and November 2022 revealed that over 4.1 terabytes of data had been published on the dark web. This data included sensitive customer bank details and National Insurance numbers belonging to staff members. The sheer volume of data highlights the severity of the intrusion.
The ICO determined that South Staffordshire failed to implement adequate security controls as required by UK data protection law. These deficiencies allowed the hackers to achieve administrator access and operate largely undetected. The watchdog cited minimal monitoring of network activities, the use of obsolete systems, and a lack of regular security scans as contributing factors to the breach.
Ian Hulme, representing the ICO, emphasized the inadequacy of reactive security measures. He stated, "Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra." This statement underscores the ICO's expectation for robust, forward-thinking cybersecurity practices.
The company agreed to a voluntary settlement with the ICO and made an early admission of liability, opting to pay the penalty without launching an appeal. This resolution signifies the company's acknowledgment of the failures that led to the data compromise and its acceptance of the regulatory consequences.
