UK Water Company Fined £963,900 After Hackers Lurked Undetected for 22 Months, Regulator Reveals
A British utilities company responsible for providing drinking water to 1.6 million people has faced severe repercussions after failing to detect hackers within its network for nearly two years. The intrusion was uncovered only after noticeable IT performance issues prompted an internal investigation, according to findings from the UK’s Information Commissioner’s Office (ICO).
The ICO imposed a fine of £963,900 ($1.3 million) on South Staffordshire Water following an attack by the Cl0p ransomware group, which resulted in the personal data of 633,887 customers and employees being exposed in August 2022.
Timeline of the Breach
The breach began in September 2020 when an employee inadvertently opened a malicious email attachment. This action installed software that provided the attacker with initial access to the corporate network. The threat actor remained undetected until May 2022, when they began moving laterally across systems using a domain administrator account, which grants the highest level of access.
The intrusion was not identified until July 2022, when the company’s IT performance issues led to an internal investigation. Shortly thereafter, a ransom note was discovered, indicating that the attacker had attempted to communicate with certain staff members.
Following the incident, South Staffordshire Water found approximately 4.1 terabytes of data published on the dark web. This data included sensitive information such as names, addresses, dates of birth, bank account details, National Insurance numbers, and, for a small subset of customers on the Priority Services Register, information that could indicate disabilities.
Security Failures Identified
The ICO’s investigation pinpointed several critical security failures. One significant issue was the lack of adherence to the principle of least privilege, a standard security control that limits user access to only what is necessary for their roles. This oversight allowed the attacker to navigate freely within the network using a domain administrator account.
As of December 2021, over a year after the initial breach, an outsourced security operations center was monitoring only 5% of the company’s IT environment. The ICO’s report noted that endpoint telemetry and logging were not integrated into the company’s security monitoring platform. Alarmingly, some devices were still operating on Windows Server 2003, an outdated system that has not received extended support since July 2015.
When the ICO requested records of internal or external vulnerability scans conducted between September 2020 and May 2022, the company confirmed that no such scans had been performed. Additionally, two domain controllers remained unpatched against a critical vulnerability known as ZeroLogon, which allows for rapid privilege escalation and was publicly disclosed in August 2020. This vulnerability was successfully exploited during the incident.
Ian Hulme, the ICO’s Interim Executive Director for Regulatory Supervision, stated, “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
Industry Context and Reactions
The breach became public in August 2022 when the Cl0p group, in a failed extortion attempt, claimed to have stolen data from another water supplier, Thames Water, which serves approximately 15 million people in London and surrounding areas. The group alleged that it could alter the chemical composition of the water supply, a claim that South Staffordshire disputed. The ICO’s penalty notice did not indicate any compromise of operational or water treatment systems.
The ICO categorized the infringements as medium seriousness and reduced the fine due to South Staffordshire’s cooperation, early admission of liability, and mitigation measures taken. A further discretionary reduction was applied, although the reasoning for this reduction remains redacted in the published notice.
Earlier this year, South Staffordshire entered a voluntary settlement, securing a 40% discount on the fine and agreeing not to appeal the ICO’s decision. This incident occurs amid a rising tide of cyberattacks targeting British water suppliers. Between January 2024 and October 2025, five incidents were reported to the Drinking Water Inspectorate, marking a record number for any two-year period, as reported by Recorded Future News.
Under current NIS Regulations, water suppliers are only required to notify authorities of cyber incidents that cause actual disruption to supplies. South Staffordshire’s breach, which became public in 2022, did not meet this threshold.
Regulatory and Technological Implications
The UK government is expected to introduce the Cyber Security and Resilience Bill to Parliament this year, aimed at expanding mandatory reporting requirements and enhancing security standards for critical infrastructure operators. While ransomware attacks on IT systems used by water companies have been documented, actual disruptions to water supply services due to cyberattacks remain rare.
In a notable case, residents of a remote area on Ireland’s west coast experienced a water outage for several days in December 2023 due to a successful attack on an operational technology (OT) component. This incident was attributed to a pro-Iran hacking group targeting facilities using equipment they claimed was made in Israel.
The U.S. federal government has issued warnings regarding the exploitation of Unitronics programmable logic controllers (PLCs), which are widely used in the water sector. Attacks on PLCs, which are critical components in many industrial control systems, pose significant concerns for defenders of critical infrastructure.
In the United States, initiatives to bolster the security of water systems faced setbacks when water industry groups collaborated with Republican lawmakers to halt federal efforts, despite a marked increase in ransomware attacks and state-sponsored intrusions.
In Canada, authorities warned of a hacktivist incident where water pressure was manipulated at a local utility, highlighting the vulnerabilities present in industrial control systems.
Charley Maher, Chief Executive of South Staffordshire Water, expressed regret over the incident, stating, “We accept the Information Commissioner’s Office’s decision relating to the cyber attack our Group experienced in 2022, and are sorry for the worry and concern it caused for customers and employees. We took immediate action to contain the incident, support those impacted and reduce the risk of recurrence.”
Maher emphasized the company’s commitment to enhancing cybersecurity measures, stating, “We have invested significantly to further strengthen our cyber security resilience, governance and monitoring, and we continue to enhance our capabilities as the threat landscape evolves. Protecting customer and employee information is a responsibility we take extremely seriously, and we remain focused on learning from this incident and maintaining strong safeguards across the Group.”
Source: therecord.media
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
