South Staffordshire Water fined after customers' details hacked
Advertisement
Subscribe
News
Business
Technology
Culture
Arts
Travel
Earth
Audio
Video
Live
Documentaries
Advertisement
Water firm fined after customers' details hacked
14 hours ago
Share
Save
Oprah Flash West Midlands
BBC
The hack went undetected by the firm for 20 months, regulators found
A water company has been fined after hundreds of thousands of customers had their personal data hacked.
South Staffordshire, made up of South Staffordshire Plc and South Staffordshire Water Plc, was ordered to pay £963,900 by the Information Commissioner's Office (ICO) following the cyber attack, traced back to September 2020.
The firm supplies south Staffordshire, parts of the Black Country and surrounding areas.
Personal information of 633,887 people was taken and published on the dark web in the attack, which largely took place between May and July 2022, the ICO found.
The watchdog and water company agreed a voluntary settlement and South Staffordshire made an early admission of liability, agreeing to pay the penalty without appeal.
A phishing email was used to launch the hack which allowed the cyber attackers to install malicious software and it remained undetected within the organisation's systems for 20 months.
In May 2022, the hacker went through the firm's network and took over administrator privileges — the highest level of system access to the IT network, the ICO said.
Advertisement
Ransom note
The breach came to light when IT performance issues prompted an internal investigation on 15 July 2022.
The company reported a personal data breach a few days later before, on 26 July 2022, South Staffordshire found a ransom note that the hacker had unsuccessfully attempted to send to certain members of staff.
Between August and November 2022, South Staffordshire discovered more than 4.1 terabytes (TB, each equal to 1,000GB) of data were published on the dark web.
They included bank details of customers and National Insurance numbers of staff.
The ICO's investigation found South Staffordshire failed to bring in adequate security controls under UK data protection law, which allowed the hackers to get administrator access.
They were also allowed to operate largely undetected due to minimal monitoring of their activities, the use of obsolete systems by the firm and take advantage of failures including a lack of regular security scans.
Ian Hulme, from the ICO, said: "Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."
Follow BBC Stoke & Staffordshire onBBC Sounds,Facebook,XandInstagram.
'Worrying precedent' as hackers target water firm
Water customers' bank details may have been leaked
Hack leaves water customers feeling vulnerable
Related internet links
Information Commissioner's Office
South Staffordshire Water
Related
'Aladdin's cave' of stolen plant machinery seized
Special needs focus at boxer's 'dream' gym
'No-confidence vote worked in our favour' - Reform
More from the BBC
- Home
- News
- Sport
- Business
- Technology
- Health
- Culture
- Arts
- Travel
- Earth
- Audio
- Video
- Live
- Documentaries
- Weather
- BBC Shop
- BritBox
BBC in other languages
The BBC is in multiple languages
Read the BBC In your own language
Noticias para hispanoparlantes
Follow BBC on:
- Terms of Use
- Subscription Terms
- About the BBC
- Privacy Policy
- Cookies
- Accessibility Help
- Contact the BBC
- Advertise with us
- Do not share or sell my info
- BBC.com Help & FAQs
- Content Index
- Set Preferred Source
Copyright 2026 BBC. All rights reserved. The BBC is not responsible for the content of external sites.Read about our approach to external linking.