South Staffordshire plc and South Staffordshire Water plc fined by ICO

The cyber episode, which can be traced back to September 2020 (but largely took place between May and July 2022), exposed “significant failures” in the company’s approach towards data security and left customers and employees alike vulnerable for nearly two years.

South Staffordshire suffered a cyber attack which began with a successful phishing e-mail (ie a scam message aimed at tricking people). In this case, the recipient opened an attachment, which then enabled the attacker to install malicious software. The latter remained undetected within the organisation’s systems for some 20 months.

Then, in May 2022, the hacker moved through the network and compromised domain administrator privileges: the highest level of system access to the IT network. The breach was only identified when IT performance issues prompted an internal investigation to commence on 15 July 2022.

The company reported a personal data breach to the ICO on 24 July 2022. Then, two days later, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on The Dark Web. 

Who was affected? 

At the time of the attack, South Staffordshire held personal information relating to approximately 1.85 million customers – circa 750,000 of them current and 1.1 million former customers – as well as 2,791 current employees and at least 2,298 former employees.

The breach resulted in the personal information of 633,887 individuals being subsequently published on The Dark Web in August 2022. This included: 

*personal details such as full name, physical address, e-mail address, date of birth, gender and telephone number

*for employees, their Human Resources information including National Insurance numbers 

*for customers, account information (including username and password for South Staffordshire Water plc’s online services), bank account number and sort code 

*for a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred

Security control failure 

The ICO’s investigation found that South Staffordshire failed to implement appropriate security controls as required under UK data protection law. These failures included the following: 

*limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network

*inadequate monitoring and logging: only 5% of the IT environment was being monitored, meaning that malicious activity wasn’t detected

*use of obsolete and unsupported software on some devices, including Windows Server 2003 

*inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans

Placement of trust 

Ian Hulme, interim executive director for regulatory supervision at the ICO, commented: “Customers don’t have the choice over which water company serves them. They’re required to share their personal information and place their trust in that provider. It’s therefore essential that water companies honour this trust by taking their data protection responsibilities seriously.”

Hulme continued: “The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations – and particularly so those handling large volumes of personal information as part of Critical National Infrastructure – to have these in place.”

Further, Hulme noted: “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”

Intention to fine

Last December, the ICO informed South Staffordshire that it intended to fine the organisation. The company then submitted representations, which were carefully considered by the ICO. This included detail around the improvements made after the attack, support offered to affected individuals and engagement with other regulators as well as the National Cyber Security Centre.

The ICO and South Staffordshire have now agreed a voluntary settlement. During the course of the investigation, South Staffordshire made an early admission of liability and, in accepting the ICO’s findings, has agreed to pay the penalty without appeal.

The ICO has applied a 40% reduction (bringing the final financial penalty to a total of £963,900) in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.   

Ian Hulme concluded: “The ICO welcomes South Staffordshire’s early admission and co-operation in this case, duly allowing us to reach a voluntary settlement and save resources.”

*Further information is available online at www.ico.org.uk