May 12, 2026 The Information Commissioner’s Office fined South Staffordshire Water £963,900 on Monday after the Cl0p ransomware group remained inside its network for nearly two years, exposing the personal data of 633,887 customers and employees. The attack began with a single phishing email in September 2020, yet the company did not discover the breach until performance issues triggered an internal investigation in July 2022.
The fine comes as British water suppliers face a record number of cyberattacks. The Drinking Water Inspectorate received five cybersecurity incident reports between January 2024 and October 2025, according to data obtained under freedom of information laws by Recorded Future News. That is more than any previous two-year period on record.
Twenty Months of Undetected Access
According to the ICO penalty notice, an employee opened a malicious email attachment in September 2020, installing software that gave the attacker a foothold on the corporate network. The threat actor then remained hidden until May 2022 before beginning to move laterally across systems using a domain administrator account, the highest level of system access available.
South Staffordshire did not identify the intrusion until IT performance issues prompted an internal investigation on 15 July 2022. Two weeks later, the company discovered a ransom note the attacker had unsuccessfully attempted to distribute to certain staff members. Between August and November 2022, the company detected that over 4.1 terabytes of data had been published on the dark web.
The ICO identified systematic security failures across South Staffordshire’s environment. Only around five percent of the organization’s IT infrastructure was actively monitored, according to regulators. The company was running outdated and unsupported software including Windows Server 2003 and had poor vulnerability management practices that left critical systems unpatched.
Water Sector Under Pressure
The South Staffordshire fine reflects broader pressure on UK water infrastructure. Under current NIS Regulations, water suppliers are only required to notify authorities of cyber incidents that cause actual disruption to supplies. The five recent attacks reported to the Drinking Water Inspectorate were made voluntarily suggesting the true number of incidents affecting the sector may be higher.
ICO interim executive director Ian Hulme used the case to issue a warning to other utilities. “Customers do not have the choice over which water company serves them,” Hulme said. “They are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.”
The government’s Cyber Security and Resilience Bill, expected to be introduced to Parliament this year, will expand mandatory reporting requirements and improve security standards for critical infrastructure operators. The legislation cannot come soon enough, the National Cyber Security Centre has already responded to 50% more nationally significant incidents in 2024 compared to the previous year.
A 40% Reduction for Cooperation
South Staffordshire received a 40% reduction in its fine after making an early admission of liability and agreeing not to appeal the penalty. The company also submitted evidence of security improvements made after the incident and cooperation with both the ICO and the National Cyber Security Centre.
The original fine would have exceeded £1.6 million without the reduction. The ICO informed the company in December 2025 of its intention to impose a penalty giving South Staffordshire time to prepare its representations. The voluntary settlement agreement avoided a lengthy appeal process that would have consumed resources on both sides.
The attack did not compromise the safety of drinking water supplies, though it disrupted corporate systems. That distinction matters under current regulations, but may not provide the same protection once the new Cyber Security and Resilience Bill becomes law.
References
- UK water company allowed hackers to lurk undetected for nearly two years, regulator finds
- Fine of nearly £1m issued against South Staffordshire Plc and South Staffordshire Water Plc
- Hackers are attacking Britain’s drinking water suppliers
- Poor security left hackers inside water company network for nearly two years
This post is also available in:
Svenska
