South Staffordshire Water and its parent company have agreed to pay a £1 million fine to the UK Information Commissioner's Office following a data breach that exposed personal information of 633,887 customers and employees. The breach, which began with a phishing email in September 2020, went undetected for nearly two years before being discovered in July 2022. The compromised data, representing approximately one-third of all personal information held by the company, was subsequently published on the dark web.
The attack started when an employee fell victim to a phishing email on September 11, 2020, leading to the installation of the Get2 downloader and SDBbot remote access Trojan. The threat actor remained undetected within the network until May 2022, when they began lateral movement using a compromised domain administrator account and remote desktop protocol to access 20 different endpoints. The breach was only discovered on July 15, 2022, when IT performance issues caused by unauthorized database exports prompted an internal investigation.
The stolen data included highly sensitive personal information such as full names, addresses, dates of birth, telephone numbers, and email addresses. More critically, the breach exposed employee National Insurance numbers, customer bank account details including sort codes, and information about customers on the Priority Services Register from which disabilities could be inferred. The threat actor claimed to have exfiltrated 4.1 terabytes of data before leaving a ransom note that was unsuccessfully sent to some staff members on July 26, 2022.
The ICO investigation revealed multiple security deficiencies that enabled the prolonged breach. The company had implemented monitoring on only 5% of its IT environment, failed to enforce least privilege access controls, and continued operating legacy systems including Windows Server 2003. Additionally, South Staffordshire Water lacked adequate vulnerability management practices, with critical systems remaining unpatched and no regular internal or external security scans being conducted. These failures allowed the attacker to escalate privileges and move through the network undetected for 22 months.
The ICO emphasized that water companies, as critical national infrastructure providers serving captive customer bases, must implement basic security controls. Organizations should review their security posture by ensuring least privilege access controls are enforced, expanding logging and monitoring coverage beyond minimal thresholds, retiring unsupported legacy systems, and establishing regular vulnerability scanning and patching programs. The regulator stressed that discovering breaches through performance degradation or ransom notes indicates inadequate proactive security measures.
Source: https://www.infosecurity-magazine.com/news/south-staffordshire-water-fined-1m/