British regulator fines South Staffordshire Water following a massive personal data breach

The British water utility South Staffordshire Water suffered a cybersecurity incident that dates back to September 2020, when attackers gained access to its internal systems through a phishing campaign targeting employees. According to a subsequent investigation by the UK’s Information Commissioner’s Office (ICO), the intruders remained within the corporate network for an extended period without being detected, exploiting technical vulnerabilities and outdated systems. The incident was not discovered until July 2022, after the company detected anomalies in the operation of its computer systems. It was later confirmed that the attackers had had prolonged access to sensitive personal and corporate information.

The attack compromised the personal data of approximately 664,000 people, including the company’s customers and employees. The exposed information included full names, addresses, phone numbers, dates of birth, bank details, and certain employment-related information. British authorities also indicated that some of that data ended up being published online by the ransomware group linked to the attack. In its official statements, the company explained that the incident primarily affected corporate information technology systems and that the drinking water supply did not experience any operational disruptions.

The case is now closed from a regulatory standpoint following the imposition of a penalty by the ICO. The company in question has stated that it cooperated with the authorities throughout the investigation and implemented additional security measures after discovering the incident.