The Information Commissioner's Office (ICO) has fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web.

The attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company's approach to data security and left customers and employees vulnerable for nearly two years.

South Staffordshire suffered a cyber attack which began with a successful phishing email – a scam message aimed at tricking people. In this case, the recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the organisation's systems for 20 months. Then, in May 2022, the hacker moved through the network and compromised domain administrator privileges — the highest level of system access to the IT network.

The breach was only identified when IT performance issues prompted an internal investigation to commence on 15 July 2022. The company reported a personal data breach to the ICO on 24 July 2022. Then, on 26 July 2022, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.

At the time of the attack, South Staffordshire held personal information relating to approximately 1.85 million customers — around 750,000 current and 1.1 million former — as well as 2,791 current employees and at least 2,298 former employees.

Personal information of 633,887 people being subsequently published on dark web in August 2022

The breach resulted in the personal information of 633,887 people being subsequently published on the dark web in August 2022. This included:

• Personal details such as full name, physical address, email address, date of birth, gender and telephone number.
• For employees, HR information including National Insurance numbers.
• For customers, account information (including username and password for South Staffordshire Water online services) and bank account number and sort code.
• For a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred.

South Staffordshire failures

The ICO's investigation found that South Staffordshire failed to implement appropriate security controls required under UK data protection law. The failures included:

• Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.
• Inadequate monitoring and logging — only 5% of the IT environment was being monitored, meaning malicious activity was not detected.
• Use of obsolete, unsupported software on some devices, including Windows Server 2003.
• Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.

Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said:

"Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.

"The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place.

“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."

In December 2025, the ICO informed South Staffordshire it intended to fine them. The company then submitted representations, which have been carefully considered by the ICO. This included the improvements made after the attack, support offered to affected people and engagement with other regulators and the National Cyber Security Centre.

The ICO and South Staffordshire have now agreed a voluntary settlement. During the course of the investigation, South Staffordshire made an early admission of liability and, in accepting the ICO’s findings, has agreed to pay the penalty without appeal. The ICO has applied a 40% reduction, bringing the final penalty to £963,900, in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.

Ian Hulme added:

“We welcome South Staffordshire’s early admission and cooperation in this case, allowing us to reach a voluntary settlement and save resources.”

Lessons for the sector

The ICO is urging organisations to review their cyber resilience in light of the case and ask themselves:

• Are controls in place so that users and systems can only access what they genuinely need?
• Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?
• Legacy or end-of-life software represents a significant and avoidable risk. Are all systems patched and supported? 
• Is vulnerability management part of regular operational practice, including both internal and external scanning?