Security
Water company's leaky security earns near-£1M fine
Utility provider failed to detect Cl0p ransomware attack for nearly two years
The UK's data protection watchdog has fined South Staffordshire Water's parent company nearly £1 million over security failings exposed by the Cl0p ransomware attack in 2022.
Issuing the fine of £963,900 ($1.3 million), the Information Commissioner's Office (ICO) said the attack exposed "significant failures in the company's approach to data security."
The attack, claimed by Cl0p, was detected in July 2022 after engineers responded to performance issues, but a thorough postmortem revealed the initial intrusion occurred almost two years earlier, in September 2020.
REG AD
Among the key failures that led to the attack, and the nearly two-year delay in detecting it, were:
REG AD
Limited controls, which allowed the attacker to escalate their privileges to admin after gaining an initial foothold on the network
Inadequate monitoring and logging. The ICO noted that only 5 percent of South Staffordshire's IT environment was being monitored
Running unsupported software, including Windows Server 2003
Poor vulnerability management. Investigations showed critical systems were unpatched against known vulnerabilities, and the company failed to regularly run internal or external security scans
The ICO said 633,887 people were affected by the attack and the resulting leak of company files.
For customers, this included personally identifiable information, usernames and passwords used to access its online services, and bank account numbers and sort codes.
For a limited number of customers on the utility company's Priority Services Register, the stolen information could have led to their disabilities being inferred.
Cl0p also pilfered HR information, including employees' National Insurance numbers.
The trove of company data was later leaked online in a file exceeding 4 TB.
At the time of the attack, South Staffordshire handled the data of some 1.85 million individuals. Most of these were either current or former customers, but several thousand staffers' details were also retained.
"Customers do not have the choice over which water company serves them – they are required to share their personal information and place their trust in that provider," said Ian Hulme, interim executive director for regulatory supervision at the ICO. "It is therefore essential that water companies honor that trust by taking their data protection responsibilities seriously."
REG AD
"The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organizations – and particularly those handling large volumes of personal information as part of critical national infrastructure – to have these in place."
"Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."
The ICO announced its intent to fine South Staffordshire in December 2025. The regulator said after reviewing the company's representations, which included agreement with its findings and an early admission of wrongdoing, it reduced the fine by 40 percent.
"We accept the Information Commissioner's Office's decision relating to the cyberattack our Group experienced in 2022, and are sorry for the worry and concern it caused for customers and employees," said Charley Maher, group CEO at South Staffordshire Plc, in a statement provided to The Register. "We took immediate action to contain the incident, support those impacted, and reduce the risk of recurrence."
"We have invested significantly to further strengthen our cybersecurity resilience, governance, and monitoring, and we continue to enhance our capabilities as the threat landscape evolves. Protecting customer and employee information is a responsibility we take extremely seriously, and we remain focused on learning from this incident and maintaining strong safeguards across the Group." ®