ICO fines South Staffs almost £1m following cyber breach

(by Verity Mitchell)

The Information Commissioner's Office (ICO) has fined South Staffordshire plc and South Staffordshire Water £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web. The ICO said it exposed significant failures in the company's approach to data security and left customers and employees vulnerable for nearly two years.

South Staffordshire’s cyber attack began with a successful phishing email in September 2020. The recipient opened an attachment which enabled the attacker to install malicious software, which remained undetected within the organisation's systems for 20 months. Then, in May 2022, the hacker compromised domain administrator privileges, the highest level of system access to the IT network.

The breach was identified when IT performance issues prompted an internal investigation on 15 July 2022. The company reported the personal data breach to the ICO on 24 July 2022. Two days later, South Staffordshire discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of data had been published on the dark web. This included: 

• People's personal details such as full name, physical address, email address, date of birth, gender and telephone number. 

• For employees, information including National Insurance numbers. 

• For customers, account information and bank account numbers and sort codes. 

• For a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred. 

The ICO found that South Staffordshire had failed to implement security controls required under UK data protection law. These failures included: 

• Limited controls which enabled the attacker to gain administrator privileges after gaining an initial foothold on the network. 

• Inadequate monitoring and logging. Only 5% of the IT environment was being monitored, meaning malicious activity was not detected. 

• Use of obsolete, unsupported software on some devices, including Windows Server 2003. 

• Inadequate vulnerability management and the absence of regular internal or external security scans. 

Because South Staffordshire made an early admission of liability, has made security improvements, offered to support affected people, and engaged with other regulators and the National Cyber Security Centre, the ICO applied a 40% reduction to the originally-proposed fine.