South Staffordshire Water Breach Leaks 633,887 Records, Draws £963,900 ICO Fine

In September 2020 a phishing email slipped past South Staffordshire Water’s defenses, giving attackers a foothold that went unnoticed for nearly two years.

Between August and November 2022 the firm uncovered more than 4.1 terabytes of customer and employee data posted on the dark web, including bank details and National Insurance numbers.

Victims reported scam emails, cloned identities, and fraudulent phone contracts; Chris Durham of Halesowen said he felt robbed after two unauthorized iPhone contracts were taken out in his name.

The breach compromised personal data of 633,887 individuals.

The Information Commissioner’s Office ordered South Staffordshire to pay £963,900, a penalty the company accepted without appeal as part of a voluntary settlement.

The attackers used a spear‑phishing attachment (MITRE ATT&CK T1566.001) to deploy malware, then maintained persistence via legitimate credentials (T1078) and exfiltrated data over encrypted channels (T1041).

The fine highlights regulatory expectations for timely detection and response; customers face ongoing fraud risk while the firm must rebuild trust and invest in controls.

Defenders should enforce multi‑factor authentication, deploy advanced email security that blocks malicious attachments, and monitor for anomalous outbound traffic matching T1041 signatures. Patching known vulnerabilities and applying the principle of least privilege limit lateral movement (T1021). Regular dark‑web monitoring and incident‑response drills reduce dwell time.

Watch for updates on the firm’s promised security upgrades and any further ICO guidance on critical‑infrastructure data protection.