A water company has been handed a fine of almost £1 million by the Information Commissioner's Office (ICO) after a cyber attack that began with a single phishing email went undetected for nearly two years, compromising the data of over 633,000 people and ultimately ending with more than four terabytes of stolen information being published on the dark web.
The ICO’s fine of £963,900 penalty against South Staffordshire Plc and South Staffordshire Water Plc follows an investigation into one of the most serious data breaches to hit the UK water sector.
The ICO notified South Staffordshire of its intention to issue a fine in December 2025. The company submitted representations, which the regulator said it considered carefully. These included improvements made after the attack, support offered to affected individuals, and engagement with other regulators and the National Cyber Security Centre.
South Staffordshire made an early admission of liability and agreed to accept the ICO's findings without appeal, triggering a 40% reduction on the original penalty figure and bringing the final fine to £963,900. Hulme welcomed the company's cooperation, saying it had allowed the ICO "to reach a voluntary settlement and save resources."
In September 2020, an attacker gained initial access to the company's systems via a phishing email. A member of staff opened a malicious attachment, allowing the hacker to install malware that sat silently inside the organisation's network for 20 months. It was not until May 2022 that the attacker moved to escalate their access, eventually compromising domain administrator privileges.
The breach was not discovered until IT performance issues prompted an internal investigation on 15 July 2022, and the company reported a personal data breach to the ICO nine days later. A ransom note the attacker had attempted to distribute to staff was found on 26 July. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.
At the time of the attack, South Staffordshire held data on approximately 1.85 million customers (750,000 current and 1.1 million former) as well as nearly 5,100 current and former employees. Of those, 633,887 people had their personal information subsequently published online.
The exposed data included names, addresses, email addresses, dates of birth, gender and telephone numbers. Employees had HR records compromised, including National Insurance numbers. Customers lost account credentials - usernames and passwords for South Staffordshire Water's online services - along with bank account numbers and sort codes. Information from which disabilities could be inferred was also included in the breach for customers on the Priority Services Register.
The ICO investigation identified a series of security failures. Only 5% of South Staffordshire's IT environment was being monitored at the time of the attack, meaning the malicious activity went entirely unnoticed. Limited access controls allowed the attacker to escalate to administrator-level privileges once inside the network. Some devices were running obsolete, unsupported software - including Windows Server 2003, a system Microsoft ceased supporting in 2015. The company also had inadequate vulnerability management, with critical systems left unpatched and no regular security scanning in place.
Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said: "Customers do not have the choice over which water company serves them - they are required to share their personal information and place their trust in that provider. "The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks."
He added that the case set a clear standard for the sector: "Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."
The ICO used the announcement to urge all organisations - particularly those handling large volumes of personal data as part of critical national infrastructure - to audit their cyber resilience. The regulator highlighted four questions businesses should be asking themselves: whether access controls prevent users reaching systems they do not need; whether monitoring covers enough of their IT environment; whether all systems are patched and supported; and whether vulnerability management is a regular operational practice rather than an afterthought.
The ICO also highlighted relevant guidance and resources for organisations including detailed guidance on protecting systems from ransomware attacks, as well as guidance on the responsibilities of data processors and controllers and lessons learnt from common security mistakes.
It also recommended the National Cyber Security Centre’s website and the Cyber Essentials programme, a Government-backed certification scheme that helps keep your organisation’s data safe from cyber attacks. The NCSC also has a Cyber Assessment Framework and has just launched the Cyber Action Toolkit, designed for small organisations to help improve their cyber resilience.
