The U.K.’s Information Commissioner’s Office (ICO) fined South Staffordshire Water PLC and its parent company, South Staffordshire Plc, £964,900 following a 2022 Cl0p ransomware attack that exposed the personal data of over 633,000 customers and employees. The regulator said the operator failed to implement appropriate security measures before attackers gained access to sensitive customer information, some of which was later published on the dark web.
The ICO noted the penalty reflected a voluntary settlement and included a 40% reduction due to improvements made after the breach, cooperation with regulators, and support provided to affected customers.
The cyberattack disrupted the utility provider’s corporate IT systems. It became one of the U.K. water sector’s highest-profile ransomware incidents after the Cl0p gang initially misidentified the victim as Thames Water. The ICO said the case underscores growing regulatory scrutiny on critical infrastructure operators over cyber resilience and data protection obligations, particularly as ransomware groups increasingly target utilities and essential services. South Staffordshire Water had previously stated that drinking water supplies and operational delivery systems were not affected by the intrusion due to existing operational safeguards.
“Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider,” Ian Hulme, ICO interim executive director for regulatory supervision, said in a Monday media statement. “It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.”
Hulme mentioned that the steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. “The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place. Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
ICO detailed that attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company’s approach to data security and left customers and employees vulnerable for nearly two years.
“South Staffordshire’s investigation found that initial access occurred on 11 September 2020 through a successful phishing campaign. The opening of the malicious attachment to a phishing email led to the installation of the tool Get2 and the Remote Access Trojan, SDBBOT, which was used to establish persistence on the endpoint,” according to details released by the agency. “The threat actor is understood to have remained dormant, albeit with potential access to the network, until 17 May 2022, following which they began to move laterally within the network. The threat actor was identified as having accessed twenty different endpoints between 17 May 2022 and 4 August 2022, the date of the last observed activity by the threat actor on the IT environment.”
On July 26, 2022, South Staffordshire discovered a ransom note that threat actors had unsuccessfully attempted to distribute to certain staff members. In the note, the attackers claimed to have exfiltrated 5.5 TB of data from the company’s systems. South Staffordshire said no further threat actor activity was observed within its IT environment after August 4, 2022. However, between August 25 and November 18, 2022, the company detected approximately 4.121 TB of exfiltrated data published on the dark web.
The leaked data reportedly included the personal information of around 633,887 U.K. individuals, including current and former customers, individuals registered under the Priority Services Register, as well as current and former employees. Following an analysis of the published personal data, South Staffordshire notified 390,628 data subjects of the personal data breach. Data subjects were notified where South Staffordshire considered there were good grounds for supposing that Article 34 U.K. GDPR was engaged.
South Staffordshire provided current employees and customers it had notified with a free 12-month subscription to a credit monitoring service, to assist in identifying any potentially fraudulent activity. South Staffordshire set up a dedicated helpline to answer any questions which notified current customers might have about the publication of personal data. HR surgeries were set up for current employees to discuss any questions or concerns.
The investigation found that South Staffordshire failed to implement appropriate security controls required under the U.K. data protection law. According to the ICO, limited security controls enabled the attackers to escalate privileges after gaining an initial foothold on the network. The regulator also identified inadequate monitoring and logging practices, noting that only 5 percent of the IT environment was being monitored, which allowed malicious activity to go undetected.
The ICO further said the company was using obsolete and unsupported software on some devices, including Windows Server 2003, while vulnerability management processes were also found to be inadequate. This included unpatched critical systems and the absence of regular internal and external security scans.
Last December, the ICO notified South Staffordshire of its intention to impose a fine. The company subsequently submitted representations, which the regulator said were carefully reviewed, including evidence of security improvements made following the attack, support provided to affected individuals, and cooperation with other regulators and the U.K.’s National Cyber Security Centre (NCSC).
The ICO and South Staffordshire later reached a voluntary settlement agreement. According to the regulator, the company made an early admission of liability during the investigation and agreed to accept the ICO’s findings and pay the penalty without appeal. The ICO applied a 40 percent reduction to the fine in recognition of the efficiencies gained through the company’s early cooperation, bringing the final penalty to £963,900.
The ICO said the case should serve as a warning to organizations across critical infrastructure sectors to reassess their cyber resilience and access control policies. The regulator stressed the importance of ensuring users and systems only have access to the data and resources necessary for their roles, alongside maintaining sufficient logging and monitoring coverage across IT environments so malicious activity can be detected and acted upon promptly.
The agency emphasized the need for organizations to ensure systems remain fully patched and supported, warning that legacy and end-of-life software presents a significant and avoidable security risk. It further highlighted vulnerability management as a critical operational requirement, including the routine use of both internal and external security scanning. The regulator said it has published additional guidance covering ransomware protection, data controller and processor responsibilities, and lessons learned from common cybersecurity failures.
Commenting on the move, Josh Marpet, senior product security consultant at Finite State, wrote in an emailed statement that critical Infrastructure is a huge attack surface. “Everyone in CI sectors should at least meet table stakes security. Multi-factor authentication, asset inventory, solid change management, software and firmware security, and third-party risk management are some of these.
Marpet added, “This is why third-party certifications are so important. “The way we’ve always done it” is not acceptable anymore. We keep people safe, or we lose.”
Recognizing that the deeper failure is governance, Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, wrote that critical infrastructure operators often avoid testing sensitive environments because disruption carries real consequences. “The result is a false sense of security. Systems are assumed safe precisely because no one has tested them, and the technical knowledge required to challenge that assumption is often absent from leadership conversations. Mandiant’s M-Trends 2026 report puts mean time to exploit at negative seven days. Adversaries do not wait for organizations to get comfortable.”
“As operational and business networks continue to merge, this incident highlights a critical ‘Achilles Heel,’ remote access without rigorous authentication provides a direct path for attackers to pivot toward essential services,” Damon Small, board of directors at Xcape, wrote in an emailed statement. “For executives, the lesson is clear – if you are going to join these environments for efficiency, regulators will demand that critical infrastructure is protected with the same, if not greater, rigor as the most sensitive financial data.”
Small said the incident underscores three critical lessons for infrastructure operators. First, the convergence of IT and OT environments has made remote access the primary pathway for infrastructure compromise, requiring strict isolation of OT control systems and phishing-resistant multi-factor authentication for any user operating across both networks.
Second, he argued that a nearly two-year attacker dwell time points to a complete lack of internal telemetry and monitoring capabilities. Regulators, he noted, no longer accept “not knowing” about malicious activity as a valid defense, particularly when organizations fail to monitor for lateral movement within their environments.
Third, Small warned that legacy systems continue to act as ‘breach beacons.’ He said the continued use of Windows Server 2003, which had been unsupported for seven years at the time of the incident, created an unpatchable attack surface that enabled attackers to escalate from a single compromised employee account to a full domain compromise.
Last June, a Virtual Routes report highlighted that many critical infrastructure entities across Europe remain ill-prepared to defend against cyber threats. Despite their essential role in society, these organizations often lack the funding, skilled personnel, and technical capabilities needed to meet growing regulatory demands. The report highlighted growing surge in cyberattacks targeting drinking water and wastewater facilities, including ransomware, credential theft, and attempts to disrupt treatment operations, driven in part by weak remote access security, outdated systems, and limited asset visibility.
