South Staffordshire Water Hit With £1m Fine Over Data Breach

The UK’s data protection watchdog has imposed a fine of nearly £1 million ($1.4 million) on South Staffordshire Water and its parent company, South Staffordshire PLC, following a two-year data breach that exposed the personal information of more than 633,000 individuals. The penalty was reduced by 40% from the original £1.6 million after the company agreed not to contest the fine.

The breach began with a successful phishing email on September 11, 2020, which allowed attackers to install the Get2 downloader and the SDBbot remote access Trojan (RAT). The intrusion remained undetected for nearly two years. Between May 17 and August 4, 2022, the threat actor moved laterally through the network using a domain administrator account and remote desktop protocol to access 20 different endpoints.

The incident only came to light when unscheduled database exports caused IT performance issues, prompting an investigation on July 15, 2022. Nine days later, the company reported a personal data breach to the Information Commissioner’s Office (ICO). On July 26, a ransom note was discovered that the attacker had unsuccessfully attempted to send to employees.

The threat actor claimed to have stolen 4.1TB of data, affecting 633,887 current and former customers and employees,roughly 34% of all personal information held by the company, according to the ICO. The stolen data, which was dumped on the dark web, included highly sensitive information: full names, physical and email addresses, dates of birth, genders, telephone numbers, employee HR records including National Insurance numbers, customer account details, bank account numbers and sort codes, and data from the Priority Services Register from which disabilities could be inferred.

The ICO identified multiple security failures at South Staffordshire Water. Limited controls, including a lack of least privilege policy enforcement, allowed the attacker to escalate to administrator privileges. Inadequate monitoring and logging meant only 5% of the IT environment was being watched. The company also used legacy unsupported software on some devices, including Windows Server 2003, and had inadequate vulnerability management, with unpatched critical systems and no regular internal or external security scans.

Ian Hulme, ICO interim executive director for regulatory supervision, emphasized that water customers have no choice in their provider, making it essential for companies to take data protection seriously. “The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks,” he said. “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”

The ICO published a detailed case study that security professionals, especially those in critical national infrastructure sectors, can use to assess their own resilience. The regulator urged organizations to review their security posture by asking whether they have effective monitoring, least privilege access controls, regular vulnerability scanning, and a plan for detecting and responding to intrusions before a ransom note appears.