The Information Commissioner’s Office (ICO) has fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900, following a serious cyber-attack that resulted in the personal information of 633,887 people being extracted and published on the dark web.
An ICO spokesman said that the attack was traced back to September 2020 but largely took place between May and July 2022.
It exposed significant failures in the company’s approach to data security and left customers and employees vulnerable for nearly two years.
What happened
South Staffordshire suffered a cyber-attack which began with a successful phishing email.
The recipient opened an attachment installing malicious software which remained undetected within the organisation’s systems for 20 months.
In May 2022, the hacker moved through the network and compromised domain administrator privileges — the highest level of system access to the IT network.
The breach was only identified when IT performance issues prompted an internal investigation in July 2022. The company reported a personal data breach to the ICO that month, and then discovered a ransom note that the hacker had unsuccessfully attempted to distribute to members of staff.
Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.
Who was affected
At the time of the attack, South Staffordshire held personal information relating to approximately 1.85 million customers (around 750,000 current and 1.1 million former) as well as 2,791 current employees and at least 2,298 former employees.
The breach resulted in the personal information of 633,887 people being published on the dark web in August 2022. This included:
Personal details such as full name, physical address, email address, date of birth, gender and telephone number.
For employees, HR information including National Insurance numbers.
For customers, account information (including username and password for South Staffordshire Water online services) and bank account number and sort code.
For a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred.
Failures
The ICO’s investigation found that South Staffordshire failed to implement appropriate security controls required under UK data protection law. These failures included:
Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.
Inadequate monitoring and logging — only 5% of the IT environment was being monitored, meaning malicious activity was not detected.
Use of obsolete, unsupported software on some devices, including Windows Server 2003.
Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.
Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said: “Customers do not have the choice over which water company serves them.
“They are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
In December 2025, the ICO informed South Staffordshire it intended to fine them. The company then submitted representations, which have been carefully considered by the ICO. This included the improvements made after the attack, support offered to affected people and engagement with other regulators and the National Cyber Security Centre.
The ICO and South Staffordshire have now agreed a voluntary settlement. South Staffordshire made an early admission of liability and, in accepting the ICO’s findings, has agreed to pay the penalty without appeal. The ICO has applied a 40% reduction, bringing the final penalty to £963,900, in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.
Lessons for the sector
The ICO is urging organisations to review their cyber resilience and ask:
Are controls in place so that users and systems can only access what they genuinely need?
Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?
Are all systems patched and supported? Legacy or end-of-life software represents a significant and avoidable risk.
Is vulnerability management part of regular operational practice, including both internal and external scanning?
The ICO has published detailed guidance on protecting systems from ransomware attacks, as well as guidance on the responsibilities of data processors and controllers and lessons learnt from common security mistakes.
