UK fined $1.3M for water supplier data breach affecting 664k customers
▼ Summary
– The ICO fined South Staffordshire Water Plc and its parent company £963,900 for a cyberattack that exposed personal data of 663,887 customers and employees.
– The Cl0p ransomware gang’s leaked data was confirmed as authentic by the ICO, and the compromise was traced back to September 2020, lasting nearly two years.
– The breach began with a phishing attack that installed undetected malware for 20 months, leading to privilege escalation and domain administrator access by July 2022.
– Leaked data included names, addresses, bank details, and HR data like National Insurance numbers, due to security failures such as insufficient monitoring and obsolete software.
– The initial fine was reduced by 40% because South Staffordshire admitted liability, cooperated, and agreed to settle without appeal.
The Information Commissioner’s Office has imposed a £963,900 ($1.3 million) fine on South Staffordshire Water Plc and its parent company, South Staffordshire Plc, following a major cyberattack that compromised the personal data of 663,887 customers and employees.
The utility, which delivers 330 million liters of drinking water daily to roughly 1.6 million consumers, first disclosed the incident in 2022, stating that its IT operations had been disrupted. At the time, company officials dismissed claims from the Cl0p ransomware gang, which had initially misidentified its victim before leaking what appeared to be authentic data samples.
An investigation by the ICO has since verified that the leaked information was genuine and traced the origins of the breach back to September 2020. The attack escalated significantly between May and July 2022, when the threat actor gained domain administrator access by escalating privileges across South Staffordshire Plc’s network. The malware remained undetected for 20 months, only discovered in July 2022 when performance issues prompted an internal review.
“We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web,” the ICO stated. “The attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company’s approach to data security and left customers and employees vulnerable for nearly two years.”
The exposed data included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and sensitive employee HR records such as National Insurance numbers.
The regulator identified several critical security failures that enabled the breach. These included insufficient controls to prevent privilege escalation, monitoring that covered only about 5% of the IT environment, the use of obsolete software like Windows Server 2003, poor vulnerability management with missing security patches, and a lack of regular internal and external security scans.
Because the company admitted liability early, cooperated fully with the investigation, and agreed to settle without appeal, the ICO reduced the original penalty by 40%. The final fine reflects both the severity of the data protection violations and the company’s remedial cooperation.
(Source: BleepingComputer)