-
The ICO fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 (approximately over $1.3 million USD) following a cyberattack that exposed the personal data of more than 633,000 people.
-
A single phishing email handed hackers undetected access to the company’s network for 20 straight months.
-
The attackers uploaded 4.1 terabytes of stolen data, including bank account numbers and National Insurance numbers, directly to the dark web.
A phishing email started it all. One employee opened an attachment, and hackers walked straight into South Staffordshire Water’s systems. They stayed for nearly two years. By the time anyone noticed, over 633,000 customers and employees had already lost control of their personal data.
The ICO (Information Commissioner’s Office) has now fined two firms a combined total of £963,900 for the failure. It stands as one of the most significant data protection penalties handed to a UK utility company to date.
One Email, Twenty Months of Access
The cyberattack began in September 2020. An employee at the water company opened an email attachment designed for phishing, and that single action gave hackers the opening they needed. The attackers installed malware on the company’s systems and began moving through the network quietly.
Nobody caught them. The hackers stayed inside South Staffordshire’s network for 20 months without detection. By May 2022, they had gained full control of the company’s IT systems.
Staff only discovered the breach in July 2022, after noticing performance problems on their own machines. At some point during the attack, the intruder also attempted to deliver a ransom note directly to a member of staff.
The investigation then revealed the full scale of what had happened. The hackers had stolen 4.1 terabytes of data and uploaded all of it to the dark web. That data included names, home addresses, account passwords, bank account numbers, and the National Insurance numbers of some employees.
Over 633,887 people had their personal information exposed, and it sat accessible in criminal spaces for close to two years.
Outdated Systems Left the Door Wide Open
The ICO’s investigation did not stop at the breach itself. Investigators found serious, pre-existing gaps in the company’s security infrastructure that made the attack far easier than it should have been.
South Staffordshire Water was only monitoring a small portion of its own systems at the time. The company was still running outdated software (including Windows Server 2003), and some systems had gone without updates or vulnerability checks for extended periods.
These were not minor oversights. They were the kind of weaknesses that invite attackers in and keep them comfortable once they are inside.
Nation-state actors actively hunt for such vulnerabilities. The US government recently warned of Iran-linked hackers targeting critical infrastructure systems — a reminder that water utilities face threats from both criminal and state-sponsored attackers.
According to ICO Interim Executive Director for Regulatory Supervision, Ian Hulme, discovering a breach only after staff notice performance lapses, or after a note for ransom shows up, simply does not meet the required standard.
He made clear that proactive security is a legal obligation, not something organisations can choose to prioritise when convenient.
The ICO’s stance is firm. Organisations handling sensitive customer data carry a legal duty to protect it, and pointing to poor infrastructure as an explanation does not hold up as a defence.
Company Admits Wrongdoing, Fine Reduced
South Staffordshire Plc and South Staffordshire Water Plc did not contest the findings. The company concurred to a willing settlement and accepted wrongdoing early during the evaluation.
The ICO recognised this cooperation and applied a 40% reduction to the original penalty, bringing the final figure down to £963,900.
That early admission matters, but it does not change what happened to the hundreds of thousands of people whose data ended up on the dark web. Names, passwords, bank details, and government identification numbers sat in criminal hands for close to two years. Many of those people likely had no idea.
The South Staffordshire case is a hard reminder that cyberattacks rarely announce themselves. One phishing email, one opened attachment, and a company surrendered the personal information of over half a million people without even knowing it. The bill for that failure now sits at nearly £1 million. The cost to those 633,000 people is far harder to calculate.
