The ICO has issued its third GDPR fine of 2026. It has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a cyber-attack resulted in the personal data of 633,887 people being extracted and published on the dark web.
As with many cyber-attacks, it started with a phishing email. The recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the company’s systems for 20 months. Then, in May 2022, the hacker moved through the network and compromised domain administrator privileges, the highest level of system access to the IT network.
The company reported a personal data breach to the ICO on 24 July 2022. Then, on 26 July 2022, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web.
The breach resulted in the personal data of 633,887 people being subsequently published on the dark web in August 2022. This included personal details and HR information of employees as well as customer account information (including username and password for South Staffordshire Water online services) and bank account number and sort code.
The ICO investigation found that South Staffordshire failed to implement appropriate security controls required under the UK GDPR. These failures included:
- Limited controls enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.
- Inadequate monitoring and logging – only 5% of the IT environment was being monitored, meaning malicious activity was not detected.
- Use of obsolete, unsupported software on some devices, including Windows Server 2003.
- Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.
The ICO applied a 40% reduction to the original proposed the penalty “in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.”
This is the first ICO fine for a cyber-attack since November last year when it fined password manager provider, LastPass UK Ltd, £1.2 million following a 2022 data breach that compromised the personal data of up to 1.6 million UK users. Prior to that the ICO issued a £14m fine to Capita. This followed a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports.
The ICO is urging organisations to review their cyber resilience and ask themselves:
- Are controls in place so that users and systems can only access what they genuinely need?
- Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?
- Are all systems patched and supported? Legacy or end-of-life software represents a significant and avoidable risk.
- Is vulnerability management part of regular operational practice, including both internal and external scanning?
In episode 4 of the Guardians of Data Podcast cyber security expert, Olu Odeniyi, reviews recent high profile cyber security breaches and the lessons learnt.
Our Cyber Security for DPOs workshop is ideal for organisations who wish to upskill their employees about cyber security. See also our new Data Breach Management Workshop.
