A UK water supplier has been fined £945,000 after regulators found cybercriminals had access to its systems, exposing sensitive customer data, for nearly two years before they were discovered.The UK Information Commissioner’s Office (ICO) announced this week that it had levied the penalty against South Staffordshire Plc and South Staffordshire Water Plc following a 2022 ransomware attack that compromised the personal data of hundreds of thousands of customers.Key takeaways
UK regulators fined South Staffordshire Plc and South Staffordshire Water Plc nearly £1 million after a major cyberattack.
The ICO said attackers were able to linger inside company systems for almost two years before detection.
Exposed data reportedly included names, addresses, contact details, and in some cases bank account information.
Attackers reportedly lingered undetected for yearsInvestigators found the attackers had access to parts of the company’s network long before August 2022 when the breach was publicly disclosed. The ICO said the intrusion went unnoticed for nearly two years, raising serious concerns about the organization’s security monitoring and detection capabilities.As reported by The Record, the ransomware gang Cl0p claimed responsibility for the attack and published samples of allegedly stolen data online. At the time, South Staffordshire Water said operational water supply systems were unaffected and drinking water remained safe.However, subsequent investigations revealed that customer data had been accessed and later leaked online.Who was affected Investigators found that, at the time of the attack, South Staffordshire held personal information relating to 750,000 current and 1.1 million former customers—totalling 1.85 million—as well as 2,791 current employees and at least 2,298 former employees. Personal information of 633,887 people stolen in the breach was published on the dark web in August 2022, the ICO said. The compromised data included:Personal details such as full name, physical address, email address, date of birth, gender and telephone number. For employees, HR information including National Insurance numbers. For customers, account information (including username and password for South Staffordshire Water online services) and bank account number and sort code. For a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred.Security failures left customer data exposedThe ICO said the company failed to carry out appropriate security measures to protect personal information, violating UK data protection law. The regulator concluded that inadequate monitoring and cybersecurity controls allowed attackers to stay in internal systems for an extended period.While the ICO has not publicly detailed every technical weakness involved, long-term unauthorized access typically points to gaps in visibility, endpoint monitoring, network segmentation, identity controls, or incident response readiness.The incident is part of a broader pattern of cyberattacks targeting water suppliers and other operators of critical infrastructure. Britain’s drinking water suppliers have suffered several cyberattacks since early 2024, according to regulatory disclosures.Water infrastructure is an attractive target because disruptions could create public panic, operational outages, or even safety risks.Anyone affected by a data breach should consider a monitoring service. Bitdefender Digital Identity Protection alerts you if your data has been compromised or leaked online, identifies the risks you face, and provides guidance on how to protect yourself.You may also want to read:UK Fines 23andMe $3 Million Over 2023 Mega BreachAura data breach exposes 900,000 records after phishing attackBooking.com says breach exposed travelers’ data