### The Breach and Its Impact **South Staffordshire Water**, which supplies drinking water to 1.6 million consumers daily, disclosed a cyberattack in 2022 that disrupted IT operations. While initially downplaying claims from the **Cl0p** ransomware group (who initially misidentified their victim), the ICO's investigation confirmed the authenticity of the leaked data, tracing the initial compromise back to September 2020. The ICO's announcement stated, "We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web." According to the ICO, the attackers gained access through a phishing attack, installing malware that remained undetected for 20 months. Between May and July 2022, they escalated privileges and obtained domain administrator access. The breach was only discovered in July 2022 due to IT performance issues. The compromised data included full names, addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data, including National Insurance numbers. ### Security Failures Identified The ICO identified several critical security failures that contributed to the data exposure: * Insufficient controls to prevent privilege escalation * Monitoring covering only approximately 5% of the IT environment * Use of obsolete software, such as **Windows Server 2003** * Poor vulnerability management and missing security patches * Lack of regular internal and external security scans These failures constituted a clear violation of UK data protection regulations, leading to the substantial fine. The initial fine was reduced by 40% due to **South Staffordshire** admitting liability, cooperating with the investigation, and agreeing to settle without appeal.