UK Fines South Staffordshire Water £963,900 for Cl0p Breach Exposing 664K Records
The UK Information Commissioner's Office has fined South Staffordshire Water Plc £963,900 ($1.3 million) for a Cl0p ransomware attack that exposed the personal data of 663,887 customers and employees, citing severe security failures including insufficient privilege escalation controls and use of obsolete Windows Server 2003.
The UK Information Commissioner's Office (ICO) has fined South Staffordshire Water Plc and its parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. The water supplier, which provides 330 million liters of drinking water to 1.6 million consumers daily, disclosed the breach in 2022 after the Cl0p ransomware gang claimed responsibility for the attack.
The ICO's investigation revealed that the compromise began as early as September 2020, when attackers gained initial access through a phishing email that installed malware on the company's systems. The malware remained undetected remained undetected for 20 months, allowing the threat actors to maintain a persistent foothold in the network. Between May and July 2022, the attackers escalated privileges across South Staffordshire's network and ultimately gained domain administrator access.
The breach was only discovered in July 2022 after IT performance problems triggered an internal investigation. The leaked data included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers. The Cl0p gang initially misidentified their victim but later published samples that the ICO has now confirmed as genuine.
The ICO identified multiple security failures that contributed to the incident. The company had insufficient controls to prevent privilege escalation, its monitoring covered only about 5% of the IT environment, and it was still using obsolete software such as Windows Server 2003. Additionally, the investigation found poor vulnerability management, missing security patches, and a lack of regular internal and external security scans.
These failures constitute a violation of UK data protection requirements under the Data Protection Act 2018. The initial fine was larger, but because South Staffordshire admitted liability early, cooperated with the investigation, and agreed to settle without appeal, the ICO reduced the penalty by 40%. The regulator emphasized that the company's security posture left customers and employees vulnerable for nearly two years.
The fine serves as a stark reminder for critical national infrastructure operators about the importance of maintaining robust cybersecurity practices. The case highlights how outdated systems and inadequate monitoring can enable ransomware groups to maintain long-term access to sensitive networks, with potentially severe consequences for both operational continuity and data privacy.