The UK’s data protection regulator, the Information Commissioner’s Office (ICO), fined South Staffordshire Water’s parent company £963,900 over security failures linked to a cyberattack that exposed the personal data of 633,887 people.
According to the ICO, the South Staffordshire breach began in September 2020 with a phishing email that tricked an employee into opening an attachment, allowing attackers to install malicious software inside the company’s network. The intrusion remained undetected for 20 months.
“The breach was only identified when IT performance issues prompted an internal investigation to begin on July 15, 2022. The company reported a personal data breach to us on July 24, 2022. Then, on July 26, 2022, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain staff members,” the regulator said in a statement.
The company later identified more than 4.1 terabytes of stolen data published on the dark web.
The breached data included names, addresses, email addresses, dates of birth, phone numbers, bank account details, usernames, passwords, and National Insurance numbers. The exposed information also included data tied to customers on the Priority Services Register, from which disabilities could be inferred.
At the time of the attack, South Staffordshire held personal information tied to about 1.85 million customers, including roughly 750,000 current customers and 1.1 million former customers.
The investigation found several security failures, including weak controls that allowed attackers to gain administrator privileges, limited monitoring that covered only 5% of the IT environment, use of unsupported software including Windows Server 2003, and inadequate vulnerability management tied to unpatched systems and missing security scans.
“Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honor that trust by taking their data protection responsibilities seriously,” said Ian Hulme, ICO Interim Executive Director for Regulatory Supervision.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organizations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra,” added Hulme.
The ICO informed South Staffordshire in December 2025 that it intended to issue a fine, later reducing the penalty by 40% after the company admitted liability early and agreed to settle the case without appeal.
