South Staffordshire Water fined nearly $1.3 million over data breach

South Staffordshire Water Plc and its parent company have been fined £963,900 (approximately $1.3 million) for a significant cyberattack that exposed the personal data of over 663,000 customers and employees. The breach, which began in September 2020, was only discovered in July 2022 after IT performance issues prompted an investigation, according to a recent report by Bleeping Computer.

The cyberattack on South Staffordshire Water Plc was initiated through a phishing attempt that allowed attackers to install undetected malware for nearly two years. Between May and July 2022, the attackers escalated privileges, gaining domain administrator access. This led to the exposure of sensitive information including full names, addresses, email addresses, phone numbers, dates of birth, bank account details, and employee National Insurance numbers.

The Information Commissioner's Office (ICO) cited multiple security failures, such as insufficient controls for privilege escalation, limited monitoring, use of obsolete software like Windows Server 2003, poor vulnerability management, and a lack of security scans. These failures violated UK data protection regulations. The initial fine was reduced by 40% due to the company admitting liability, cooperating with the investigation, and agreeing to a settlement.

Source: Bleeping Computer