UK Water Company Fined for Data Breach
A British utilities company, South Staffordshire Water, supplying drinking water to 1.6 million people, failed to discover hackers hidden inside its computer network for nearly two years before the intrusion came to light through an IT performance slowdown.
The Information Commissioner's Office (ICO) fined South Staffordshire Water £963,900 on Monday over an attack by the Cl0p ransomware group that led to the personal data of 633,887 customers and employees being published in August 2022.
Initial Access and Lateral Movement
According to the penalty notice, the initial access occurred almost two years earlier in September 2020 when an employee opened a malicious email attachment, installing software that gave the attacker a foothold on the corporate network.
The threat actor then remained hidden until May 2022 before beginning to move laterally across systems using a domain administrator account, the highest level of system access available.
Discovery and Notification
The company did not identify the intrusion until July 2022, when the IT performance issues prompted an internal investigation. Two weeks later the company discovered a ransom note the attacker had unsuccessfully attempted to distribute to certain members of staff.
After the incident, South Staffordshire detected approximately 4.1 terabytes of data published on the dark web, including names, addresses, dates of birth, bank account numbers and sort codes, National Insurance numbers, and, for a small percentage of customers on the company's Priority Services Register, information from which disabilities could be inferred.
Security Failures and ICO Investigation
The ICO's investigation identified four specific security failures, including implementing the principle of least privilege — a standard control that limits user access to only what is needed for their role — allowing the threat actor to move freely across the network using a domain administrator account.
As of December 2021, more than a year after the attacker first gained access, an outsourced security operations center was monitoring just 5% of the company's IT environment.
- Endpoint telemetry and logging were not integrated into the company's security monitoring platform.
- Some devices were also still running Windows Server 2003, an operating system whose extended support ended in July 2015.
- Two domain controllers also remained unpatched against a critical vulnerability known as ZeroLogon which allows rapid escalation of privileges and was first published in August 2020.
Reaction and Penalty
“Waiting for performance issues or a ransom note to discover a breach is not acceptable,” said Ian Hulme, the ICO's Interim Executive Director for Regulatory Supervision, adding that “proactive security is a legal requirement, not an optional extra.”
The ICO placed the infringements in the medium seriousness category and reduced the total fine due to South Staffordshire’s cooperation, early admission of liability and mitigation steps.
A further discretionary reduction was applied, though the reasoning is redacted in the published notice. South Staffordshire entered a voluntary settlement earlier this year, securing a 40% discount, and has agreed not to appeal against the ICO’s decision.
Incidents and Reactions
The breach became public in August 2022 when, in a bungled extortion attempt, the Cl0p group claimed to have stolen data from a different water supplier, Thames Water that serves around 15 million people in and around London.
At the time, the group claimed to have been capable of altering the chemical composition of the water supply, although this was disputed by South Staffordshire. The penalty notice makes no reference to any compromise of operational or water treatment systems.
Cyberattacks on Water Suppliers
British water suppliers face a growing number of cyberattacks. Five incidents were reported to the Drinking Water Inspectorate between January 2024 and October 2025 — a record number in any two-year period.
Under the current NIS Regulations, water suppliers are only required to notify authorities of cyber incidents that cause actual disruption to supplies. South Staffordshire's breach, which became public in 2022, did not meet that threshold.
The U.K. government’s Cyber Security and Resilience Bill, intended to expand mandatory reporting requirements and improve security standards for critical infrastructure operators, is expected to be introduced to Parliament this year.
We accept the Information Commissioner’s Office’s decision relating to the cyber attack our Group experienced in 2022, and are sorry for the worry and concern it caused for customers and employees.
— Charley Maher, South Staffordshire’s chief executive
Source: The Record