ICO fines South Staffordshire Water £1m over data breach

The Information Commissioner's Office (ICO) has issued a £963,900 monetary penalty to South Staffordshire Plc and South Staffordshire Water Plc following a serious cyberattack by the Cl0p ransomware gang that compromised the personal data of approximately 633,887 individuals. The ICO found that the companies infringed Articles 5(1)(f) and 32(1) of the UK General Data Protection Regulation (GDPR) for failing to implement appropriate technical and organisational security measures.

The breach originated from a phishing email in September 2020. Malicious software remained undetected within the network for 20 months before attackers escalated their access to domain administrator privileges between May and July 2022. The intrusion was only identified following internal IT performance issues. Subsequently, more than 4.1 terabytes of exfiltrated data were published on the dark web, including names, addresses, dates of birth, and telephone numbers. For employees, National Insurance numbers were exposed, while customers had their bank details and online account credentials compromised. A small number of individuals on the Priority Services Register also had sensitive information regarding their disabilities revealed.

The ICO investigation highlighted several critical security failures. Monitoring was inadequate, with only 5% of the IT environment tracked. The organisation also utilised obsolete, unsupported software and lacked a robust vulnerability management programme, leaving critical systems unpatched. Furthermore, the absence of regular security scans allowed the unauthorised access to persist and expand. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.