A British utilities firm supplying consuming water to 1.6 million individuals failed to find hackers hidden inside its pc community for practically two years earlier than the intrusion got here to gentle by an IT efficiency slowdown, the UK’s information safety regulator has discovered.
The Data Commissioner’s Workplace (ICO) fined South Staffordshire Water £963,900 ($1.3 million) on Monday over an assault by the Cl0p ransomware group that led to the private information of 633,887 clients and workers being revealed in August 2022.
In response to the penalty discover, the preliminary entry occurred nearly two years earlier in September 2020 when an worker opened a malicious e mail attachment, putting in software program that gave the attacker a foothold on the company community.
The risk actor then remained hidden till Could 2022 earlier than starting to maneuver laterally throughout methods utilizing a site administrator account, the very best stage of system entry out there.
The corporate didn’t establish the intrusion till July 2022, when the IT efficiency points prompted an inner investigation. Two weeks later the corporate found a ransom notice the attacker had unsuccessfully tried to distribute to sure members of workers.
After the incident, South Staffordshire detected roughly 4.1 terabytes of knowledge revealed on the darkish net, together with names, addresses, dates of start, checking account numbers and kind codes, Nationwide Insurance coverage numbers, and, for a small share of consumers on the corporate’s Precedence Providers Register, data from which disabilities might be inferred.
The ICO’s investigation recognized 4 particular safety failures, together with implementing the precept of least privilege — an ordinary management that limits consumer entry to solely what is required for his or her position — permitting the risk actor to maneuver freely throughout the community utilizing a site administrator account.
As of December 2021, greater than a yr after the attacker first gained entry, an outsourced safety operations heart was monitoring simply 5% of the corporate’s IT surroundings. The third occasion was not recognized within the ICO’s report, which mentioned endpoint telemetry and logging weren’t built-in into the corporate’s safety monitoring platform.
Some units have been additionally nonetheless operating Home windows Server 2003, an working system whose prolonged help resulted in July 2015.
When requested by the ICO to offer data of any inner or exterior vulnerability scans performed between September 2020 and Could 2022, the corporate confirmed no such scans existed for both class.
Two area controllers additionally remained unpatched towards a vital vulnerability often called ZeroLogon which permits fast escalation of privileges and was first revealed in August 2020. The attacker efficiently exploited this vulnerability through the incident.
“Ready for efficiency points or a ransom notice to find a breach shouldn’t be acceptable,” mentioned Ian Hulme, the ICO’s Interim Govt Director for Regulatory Supervision, including that “proactive safety is a authorized requirement, not an non-compulsory additional.”
Incidents and reactions
The breach turned public in August 2022 when, in a bungled extortion try, the Cl0p group claimed to have stolen information from a distinct water provider, Thames Water that serves round 15 million individuals in and round London.
On the time, the group claimed to have been able to altering the chemical composition of the water provide, though this was disputed by South Staffordshire. The penalty discover makes no reference to any compromise of operational or water remedy methods.
The ICO positioned the infringements within the medium seriousness class and decreased the full advantageous as a result of South Staffordshire’s cooperation, early admission of legal responsibility and mitigation steps. An extra discretionary discount was utilized, although the reasoning is redacted within the revealed discover.
South Staffordshire entered a voluntary settlement earlier this yr, securing a 40% low cost, and has agreed to not attraction towards the ICO’s choice.
The advantageous comes as British water suppliers face a rising variety of cyberattacks. 5 incidents have been reported to the Ingesting Water Inspectorate between January 2024 and October 2025 — a file quantity in any two-year interval, as reported by Recorded Future Information, which obtained the figures beneath freedom of data legal guidelines in November 2025.
These experiences have been made voluntarily. Beneath the present NIS Laws, water suppliers are solely required to inform authorities of cyber incidents that trigger precise disruption to provides. South Staffordshire’s breach, which turned public in 2022, didn’t meet that threshold.
The U.Okay. authorities’s Cyber Safety and Resilience Invoice, meant to develop necessary reporting necessities and enhance safety requirements for vital infrastructure operators, is anticipated to be launched to Parliament this yr.
Though there have been ransomware assaults towards the IT workplace methods utilized by water corporations — together with the businesses who made the above experiences within the U.Okay., and Aigües de Mataró in Spain — this can be very uncommon for cyberattacks on water suppliers to truly disrupt providers.
In a single uncommon case of a profitable assault on an operational expertise (OT) element, residents of a distant space on Eire’s west coast have been left with out water for a number of days in December 2023 when a pro-Iran hacking group indiscriminately focused amenities utilizing a chunk of kit the hackers complained was made in Israel.
The U.S. federal authorities had issued a warning in regards to the exploitation of Unitronics programmable logic controllers (PLCs) utilized by many organizations within the water sector. Assaults on PLCs, core expertise parts in a variety of industrial management methods, are one of many most important considerations of vital infrastructure defenders.
Initiatives to enhance the safety of water methods in the US faltered beneath the Biden administration when water trade teams partnered with Republican lawmakers to place a halt to the federal efforts, regardless of important will increase within the variety of ransomware assaults and state-sponsored intrusions.
Final yr, Canadian authorities warned of an incident through which hacktivists modified the water stress at one native utility amongst a spate of assaults interfering with industrial management methods.
South Staffordshire’s chief govt, Charley Maher, mentioned: “We settle for the Data Commissioner’s Workplace’s choice regarding the cyber assault our Group skilled in 2022, and are sorry for the fear and concern it prompted for purchasers and workers. We took rapid motion to comprise the incident, help these impacted and cut back the chance of recurrence.
“We’ve invested considerably to additional strengthen our cyber safety resilience, governance and monitoring, and we proceed to reinforce our capabilities because the risk panorama evolves. Defending buyer and worker data is a duty we take extraordinarily significantly, and we stay centered on studying from this incident and sustaining robust safeguards throughout the Group.”
