Two bodies operating together as South Staffordshire fined by Information Commissioner’s Office following cyber attack.
The ICO has fined two companies, South Staffordshire Plc and South Staffordshire Water Plc, a total of £963,900 after a cyber attack resulted in the personal information of 633,887 people being stolen and the published on the dark web.
Photo by Sasun Bughdaryan / Unsplash
Of particular note in this case is that the initial attack, giving hackers access to the companies’ systems went undetected for almost two years. The ICO’s investigation found significant failures in the approach to data security, leaving customers and employees vulnerable.
The problems began in September 2020 when a recipient opened the attachment in a ‘phishing’ or scam email, which – without their knowledge – installed malicious software. This remained undetected for over a year and a half. Then, in May 2022, the hacker used the software to move through the network and compromise system access.
This led to issues in IT performance and on July 15 an internal investigation was launched. Nine days later, the company reported to the ICO that there had been a breach of personal data, as required by law. On July 26, the South Staffordshire team discovered a ransom note that the hacker had unsuccessfully attempted to distribute to staff. Between August and November 2022, it was found that more than 4.1 terabytes of data had been published on the dark web.
At the time of the attack, South Staffordshire held personal information relating to some 1.9m current and former customers, and more than 5,000 current and former staff. As a result of the breach, personal information relating to 633,887 people was published on the dark web in August 2022. This included such details as names, addresses, account information (for customers) and HR information (for staff).
The ICO found that that South Staffordshire had failed to implement appropriate security controls as required under UK data protection law. These included inadequate measures to stop the attacker escalating administrator privileges after gaining initial access to the network, inadequate monitoring and logging, use of obsolete, unsupported software on some devices, and inadequate vulnerability management.
The fine is 40% less than it would otherwise have been, in recognition of the fact that South Staffordshire made an early admission of liability and agreed a voluntary settlement with the ICO, which it will pay without appeal.
Ian Hulme, Interim Executive Director for Regulatory Supervision at the ICO, says: ‘Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.
‘The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place.
‘Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.’
Leave a Reply