South Staffordshire Water Fined £1m After Two-Year Undetected Breach
The UK ICO fined South Staffordshire Water nearly £1m for a phishing attack that went undetected for two years, exposing data of over 633,000 individuals.
The UK Information Commissioner's Office (ICO) has fined South Staffordshire Water nearly £1m ($1.4m) after a phishing attack in September 2020 led to a two-year undetected breach that compromised the personal data of over 633,000 customers and employees. The fine, reduced from an original £1.6m after the company agreed not to contest it, highlights severe security failures at the critical infrastructure provider.
The incident began on September 11, 2020, when an employee fell victim to a phishing email that installed the Get2 downloader and the SDBbot remote access Trojan (RAT). The attacker maintained persistence undetected until May 2022, when they used a domain administrator account to move laterally via Remote Desktop Protocol (RDP) across 20 endpoints over several months.
The breach was only discovered on July 15, 2022, when IT performance issues caused by unscheduled database exports triggered an investigation. Nine days later, the company reported the breach to the ICO. On July 26, staff discovered a ransom note that the threat actor had unsuccessfully attempted to send, though the stolen data had already been dumped on the dark web.
The stolen 4.1TB of data included full names, addresses, dates of birth, bank account details, National Insurance numbers, and sensitive information from the Priority Services Register, from which disabilities could be inferred. This represented approximately 34% of all personal information held by the company.
The ICO identified multiple security failings: lack of least privilege controls that allowed privilege escalation, monitoring of only 5% of the IT environment, use of legacy unsupported software like Windows Server 2003, and inadequate vulnerability management with no regular security scans. Ian Hulme, ICO interim executive director for regulatory supervision, stated that water customers have no choice of provider, making data protection responsibilities paramount.
The ICO published a detailed case write-up urging organizations to review least privilege access controls, logging and monitoring coverage, patch management, and vulnerability scanning practices. The regulator emphasized that proactive security is a legal requirement, not optional, and that waiting for performance issues or ransom notes to discover breaches is unacceptable.