South Staffordshire Water has been fined almost £1m following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web.

The fine of £963,900 followed an incident that dates back to September 2020 but which largely took place between May and July 2022. It exposed significant failures in the company's approach to data security and left customers and employees vulnerable for nearly two years.

The company suffered a cyber attack which began with a successful phishing email – a scam message aimed at tricking people. In this case, the recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the organisation's systems for 20 months. In May 2022, the hacker then moved through the network and compromised domain administrator privileges.

The breach was only identified when IT performance issues prompted an internal investigation in July 2022. The company reported a personal data breach to the ICO that month, and subsequently discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.

At the time of the attack, South Staffordshire held personal information relating to approximately 1.85m current and former customers, as well as 2,791 current employees and at least 2,298 former employees. The breach led to personal details of customers and staff exposed.

Among the failures identified by the ICO were: limited controls which enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network; inadequate monitoring and logging; use of obsolete, unsupported software on some devices, including Windows Server 2003; and inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.

Ian Hulme, ICO interim executive director for regulatory supervision, said: “Customers do not have the choice over which water company serves them – they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.

“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations – and particularly those handling large volumes of personal information as part of critical national infrastructure – to have these in place. Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”

---