Water firm fined after customers' details hacked

South Staffordshire Water has been fined £963,900 by the UK data watchdog after a cyber-attack compromised the personal data of over 633,000 people, which was later published on the dark web [1]. The Information Commissioner's Office (ICO) found the hack was launched via a phishing email in September 2020, allowing attackers to install malware that remained undetected for 20 months [1]. The main period of data exfiltration occurred between May and July 2022, with the breach only discovered on 15 July 2022 due to IT performance issues [1]. The company later found a ransom note the hacker had attempted to send to staff [1]. Between August and November 2022, more than 4.1 terabytes of data—including customer bank details and staff National Insurance numbers—were published online [1]. The ICO investigation concluded South Staffordshire failed to implement adequate security controls, used obsolete systems, and lacked sufficient monitoring, which allowed the attackers to gain administrator access [1]. Ian Hulme of the ICO stated, "Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra" [1]. The company made an early admission of liability and agreed to pay the penalty without appeal [1].