The Information Commissioner’s Office (ICO) has fined South Staffordshire Water and its parent company South Staffordshire Plc £963,900 following a major cyberattack that exposed the personal information of more than 633,000 customers and employees.
According to the regulator, hackers (widely believed to be linked to the Cl0p ransomware group) remained inside the company’s systems for almost 20 months before the breach was finally discovered in July 2022.
The ICO described the incident as a serious failure of cyber security controls, warning that critical infrastructure providers must take stronger steps to protect customer data.
What happened in the South Staffordshire Water cyberattack?
The ICO says the attack began in September 2020 when an employee opened a phishing email attachment containing malicious software. That gave attackers an initial foothold inside the organisation’s systems. According to the regulator, the malware remained undetected for almost two years.
In May 2022, the hackers escalated their access and compromised domain administrator privileges — one of the highest levels of access possible within the company’s IT environment. Despite this, the breach was only identified after unexplained IT performance problems triggered an internal investigation on 15 July 2022.
South Staffordshire Water reported the breach to the ICO on 24 July 2022. Two days later, the company discovered a ransom note that attackers had unsuccessfully attempted to distribute to staff members.
Between August and November 2022, the company identified more than 4.1 terabytes of stolen data published on the dark web.
What data was exposed?
According to the ICO, the South Staffordshire Water data breach resulted in the personal information of 633,887 people being published online.
The exposed data reportedly included:
- Full names
- Home addresses
- Email addresses
- Telephone numbers
- Dates of birth
- Gender information
- National Insurance numbers
- Bank account numbers and sort codes
- Online account usernames and passwords.
For some customers registered on South Staffordshire Water’s Priority Services Register, the leaked data also included information from which disabilities or vulnerabilities could potentially be inferred.
At the time of the attack, South Staffordshire Water held personal information relating to around 1.85 million customers, including approximately 750,000 current customers and 1.1 million former customers. Employee data was also affected.
What did the ICO say went wrong?
The ICO identified several major cyber security failings during its investigation, including:
- Inadequate monitoring and logging across the IT environment
- Only around 5% of systems being actively monitored
- Failure to properly restrict administrator privileges
- Use of outdated Windows Server 2003 systems
- Missing security patches on critical systems
- Lack of regular internal and external vulnerability scanning.
According to the regulator, South Staffordshire Water failed to implement appropriate technical and organisational measures required under UK data protection law.
The case highlights growing concerns around cybersecurity risks facing the UK’s critical national infrastructure. The regulator is now urging organisations across the sector to review their cyber resilience.
The ICO originally informed South Staffordshire Water in December 2025 that it intended to issue a financial penalty. However, the regulator later agreed a voluntary settlement after the company admitted liability early, cooperated with investigators and agreed not to appeal the decision. The ICO applied a 40% reduction to the penalty, reducing the final fine to £963,900.
Could affected customers be entitled to compensation?
Data breaches involving financial and identity information can expose individuals to a range of risks, including fraud attempts, phishing scams, identity theft and emotional distress.
None of the fine issued by the ICO will go to victims of this data breach. This is because ICO fines are paid to the government rather than directly to people affected by the breach.
However, people affected by serious data breaches may be entitled to compensation in certain circumstances, particularly where sensitive personal information was exposed or where the incident caused financial harm or distress.
South Staffordshire Water and Cambridge Water customers who believe their data may have been affected can register their interest through Join the Claim to stay informed if a partner law firm takes action.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
