South Staffordshire Water fined £963,900 after 20‑month phishing breach

South Staffordshire Water was fined £963,900 after a 20‑month phishing‑led breach exposed 633,887 customers’ data.

The firm supplies water to south Staffordshire, Walsall, Dudley, north Warwickshire, north Worcester and south Derbyshire. In September 2020 attackers delivered a phishing email that gave them an initial foothold inside the network.

The intrusion remained undetected for about 20 months. Performance issues on 15 July 2022 prompted an internal review, which uncovered the compromise a few days later.

Between May and July 2022 the attackers moved laterally, seized administrator privileges—the highest level of system access—and began exfiltrating data.

They extracted more than 4.1 TB of information, including names, addresses, bank details and National Insurance numbers of 633,887 individuals, which appeared on the dark web.

The ICO’s investigation found the company failed to implement adequate security controls under UK data protection law, neglected regular vulnerability scans and relied on obsolete systems, allowing the attackers to operate largely unseen.

As a result the regulator ordered a penalty of £963,900. South Staffordshire Water accepted the finding and paid the fine without appeal.

The ICO stated that waiting for performance issues or a ransom note to discover a breach is unacceptable; proactive security is a legal requirement, not an optional extra.

Defenders should block phishing at the gateway (MITRE ATT&CK T1566.001), enforce multi‑factor authentication on all privileged accounts, and apply least‑privilege principles to limit credential misuse (T1078).

Continuous monitoring of privileged activity, anomalous file transfers and unusual login patterns (T1083, T1041) is essential, backed by quarterly vulnerability scans and timely patching.

Legacy platforms must be replaced or isolated, and organisations should follow NCSC guidance on phishing resilience and privileged access management.

Watch for further ICO enforcement actions against utilities and potential class‑action claims stemming from the exposed personal data.