A UK water company has been fined nearly £1m by the Information Commissioner’s Office (ICO) after a two-year incident resulted in the compromise of personal information on over 633,000 people. South Staffordshire Water and parent company South Staffordshire PLC agreed to pay the ICO a fine 40% lower than the original £1.6m sum in return for not contesting the fine. The threat actor claimed to have stolen 4.1TB of data from South Staffordshire Water, amounting to 633,887 current and former customers and employees.
The stolen PII, which was dumped on the dark web, was highly sensitive, including full names, addresses, dates of birth, National Insurance numbers and bank account details. The incident began with a phishing email on 11 September 2020, followed by the attacker moving laterally through the network on 17 May 2022, and a ransom note being discovered on 26 July 2022. According to the ICO, the breach was detected after IT performance issues prompted an investigation on 15 July 2022.