ICO (UK) - South Staffordshire Plc & South Staffordshire Water Plc
ICO fines South Staffordshire Water £963,900 for inadequate security measures enabling cyber-attack data breach.
Summary
South Staffordshire Plc and South Staffordshire Water Plc were fined £963,900 by the UK ICO for failing to implement appropriate technical and organisational security measures under UK GDPR Articles 5(1)(f) and 32. A cyber-attack originating from a phishing email in September 2020 led to the installation of Get2 and SDBBOT RAT malware, enabling threat actors to exfiltrate approximately 4.121 TB of personal data belonging to 633,887 individuals including customers, employees, and Priority Services Register members by May 2022.
Full text
Help ICO (UK) - South Staffordshire Plc & South Staffordshire Water Plc: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:25, 18 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators40 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:25, 18 May 2026 ICO - South Staffordshire Plc & South Staffordshire Water Plc Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 32 UK GDPRArticle 5(1)(f) UK GDPR Type: Investigation Outcome: Violation Found Started: 11.10.2020 Decided: 07.05.2026 Published: Fine: 963,900 GBP Parties: South Staffordshire Plc South Staffordshire Water Plc National Case Number/Name: South Staffordshire Plc & South Staffordshire Water Plc European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: ICO (in EN) Initial Contributor: bms A controller was fined £963,900 (€1,113,858.12) for failing to implement appropriate technical and organisational security measures that lead to a data breach following a cyber-attack. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts South Staffordshire Plc (the controller) is an integrated services group that operates a regulated water company, South Staffordshire Water Plc, as well as several complementary non-regulated businesses that serve essential services in the UK. In July 2022, the controller became aware of a cyber-attack in which the threat actor used Cobalt Strike on multiple devices to enable command-and-control communications. The controller launched an investigation and determined that the initial access had occurred in September 2020 through a successful phishing campaign. Opening a malicious email attachment resulted in the installation of Get2 and the SDBBOT Remote Access Trojan, which enabled persistence on the endpoint. The threat actor is understood to have remained dormant, with potential access to the network, until May 2022. The controller later discovered a ransom note that the threat actor had unsuccessfully attempted to distribute to certain staff members. In that note, the threat actor claimed to have exfiltrated 5.5TB of data. The controller identified an approximate total of 4.121 TB of exfiltrated data published on the dark web. The published data included the personal data of approximately 633,887 UK data subjects. This comprised current customers, former customers, individuals on the Priority Services Register, current and former employees. The following categories of personal data were published on the dark web: personal details (full name, physical address and email address, date of birth/age, gender, telephone number); for employees only, HR information (employee number, applicant number, National Insurance number, username and password); for customers only, account information (customer reference number, property information including occupant information, bank account number and sort code, financial status information, Priority Services data, username and password); for a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred. Not all affected data subjects had data falling within every category listed above. The data published on the dark web also included race or ethnicity data relating to one former customer and religion or philosophical belief data relating to one former customer. The incident constituted a personal data breach, as it involved unauthorised access to and unauthorised disclosure of personal data. The controller reported the breach to the DPA in July 2022 and notified 390,628 data subjects, having determined that notification was required under Article 34 UK GDPR. Holding The DPA hold that the controller infringed article 5(1)(f) and article 32(1) UK GDPR. In particular, the DPA found that the controller failed to: properly implement the principle of least privilege; implement adequate security monitoring and logging; migrate away from certain devices running obsolete software; and implement adequate vulnerability management across its IT environment. The DPA concluded that the infringements were sufficiently serious to warrant a monetary penalty of £963,900 (€1,113,858.12). In reaching this decision, it considered several factors, including the nature of the infringements, the number of affected data subjects, the duration of the infringements, the controller’s negligence, the categories of personal data involved, the controller’s annual turnover, and relevant aggravating and mitigating factors. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. NON-CONFIDENTIAL FOR PUBLICATION 1 Penalty Notice to South Staffordshire Plc & South Staffordshire Water Plc under Section 155(1) Data Protection Act 2018 7 May 2026 MONETARY PENALTY NOTICE South Staffordshire Plc South Staffordshire Water Plc NON-CONFIDENTIAL FOR PUBLICATION 2 Contents I. INTRODUCTION AND SUMMARY .................................................... 3 II. RELEVANT LEGAL FRAMEWORK ..................................................... 5 III. BACKGROUND TO THE INFRINGEMENTS ..................................... 6 1) Background to South Staffordshire’s processing of personal data ... 6 2) Cyber-attack incident................................................................ 8 IV. INFRINGEMENTS .................................................................... 12 1) Legal framework .................................................................... 12 2) Technical and organisational measures ...................................... 13 3) Summary of the Commissioner’s findings on infringements ......... 17 V. DECISION TO IMPOSE A PENALTY ............................................... 17 VI. CALCULATION OF THE PENALTY ............................................... 20 1) Relevant statutory maximum ................................................... 20 2) Step 1: Assessment of the seriousness of the infringements ........ 21 3) Step 2: Accounting for turnover ............................................... 24 4) Step 3: Calculating the starting point ........................................ 24 5) Step 4: Aggravating and mitigating factors ................................ 25 6) Step 5: Adjustment to ensure the fine is effective, proportionate and dissuasive ............................................................................. 25 7) Settlement discount ............................................................... 27 VII. FINANCIAL HARDSHIP ............................................................ 27 VIII. PAYMENT OF THE PENALTY ...................................................... 28 IX. RIGHTS OF APPEAL ................................................................ 28 ANNEX 1 ...................................................................................... 30 NON-CONFIDENTIAL FOR PUBLICATION 3 DATA PROTECTION ACT 2018 (PART 6, SECTION 155) ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER PENALTY NOTICE To: South Staffordshire Plc and South Staffordshire Water Plc Of: Green Lane Walsall West Midlands WS2 7PD FAO: I. INTRODUCTION AND SUMMARY 1. Pursuant to section 155(1)(a) of the Data Protection Act 2018 (“DPA 2018”), by this written notice (“Penalty Notice”), the Information Commissioner (the “Commissioner”) requires South Staffordshire Plc & South Staffordshire Water Plc (together, “South Staffordshire”) to pay the Commissioner a penalty of £963,900. 2. This Penalty Notice is issued in respect of the Commissioner’s findings of infringement of Article 5(1)(f) and Article 32(1) of the UK General Data Protection Regu
Indicators of Compromise
- malware — Cobalt Strike
- malware — Get2
- malware — SDBBOT