Skip to main content
Emerging ThreatsData Breaches

UK Water Supplier Fined $1.3M for Data Exposure Lapse

Locked filing cabinet with scattered papers, symbolizing data security breach.

“We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web,” the Information Commissioner’s Office said.

The penalty and how it was calculated

The ICO has levied a penalty of £963,900 (reported as $1.3 million) against South Staffordshire Water Plc and its parent, South Staffordshire Plc. The regulator said the fine follows a serious cyberattack that exposed personal data; the article also reports that the incident affected 663,887 customers and employees. The ICO said the initial fine was larger but reduced by 40% because the companies admitted liability early, cooperated with the investigation, and agreed to settle without appeal.

Timeline: intrusion, escalation, and discovery

According to the ICO’s investigation, the compromise can be traced back to September 2020 but “largely took place between May and July 2022.” The breach began when a phishing attack enabled the installation of malware on South Staffordshire’s systems; that malware remained undetected for 20 months. Between May and July 2022 the attacker escalated privileges across the company network and obtained domain administrator access. The incident was discovered in July 2022 after IT performance problems triggered an investigation.

Scope of the data exposed

The leaked material, which the ICO confirmed was authentic and belonged to South Staffordshire Water Plc, included a broad mix of customer and employee information. The ICO said the exposed records contained full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers.

Security failures the ICO identified

  • Insufficient controls to prevent privilege escalation;
  • Monitoring that covered only approximately 5% of the IT environment;
  • Use of obsolete software, explicitly including Windows Server 2003;
  • Poor vulnerability management and missing security patches;
  • Lack of regular internal and external security scans.

The ICO characterised these shortcomings as breaches of UK data protection requirements and cited them as the basis for the fine.

What this means for customers, employees, and procurement leaders

Customers will be directly affected because the published records included bank account details and customer account credentials, along with names, addresses and dates of birth; those exposed will likely need to monitor accounts tied to financial and contact information. Employees face risks tied to HR data in the leak, including National Insurance numbers, which raise particular identity-theft concerns for affected staff.

Procurement leaders and IT decision-makers should note the concrete failings the ICO flagged: monitoring coverage of roughly 5%, use of obsolete server software, and missing patches. Those specifics provide clear, audit-oriented items that procurement teams and security buyers will watch for when assessing vendors and contracts going forward.

The penalty closes this chapter legally for South Staffordshire without an appeal, but the record the ICO published — a malware presence undetected for 20 months, privilege escalation to domain administrator, and an extensive set of exposed personal records — leaves open practical questions about how utilities and similar suppliers will accelerate monitoring, patching, and vulnerability management to avoid comparable enforcement and customer harm.

Original reporting: https://www.bleepingcomputer.com/news/security/uk-fines-water-supplier-13m-for-exposing-data-of-664k-customers/