[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faL0SwNyilQVfOlsyOWh7tXcHSNAoyCp8vyjBb-X53tg":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"5c2660b2-362e-4f85-aae2-a02c732247a1","UK fines water supplier $1.3M for exposing data of 664k customers","uk-fines-water-supplier-1-3m-for-exposing-data-of-664k-customers-849dd8","The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]","The UK Information Commissioner's Office fined South Staffordshire Water Plc £963,900 ($1.3M) for a cyberattack that exposed personal data of 663,887 customers and employees. The breach, initially claimed by Cl0p ransomware gang, began in September 2020 but remained undetected for 20 months until discovery in July 2022; exposed data included names, addresses, email, phone numbers, dates of birth, bank details, and employee HR information. The ICO identified critical security failures including insufficient privilege escalation controls, inadequate monitoring (5% coverage), obsolete software, poor patch management, and lack of security scans.","UK ICO fines water supplier £963,900 for 2020-2022 cyberattack exposing 664k customers.","UK fines water supplier $1.3M for exposing data of 664k customers By Bill Toulas May 12, 2026 04:17 PM 0 The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. The company supplies 330 million liters of drinking water to 1.6 million consumers daily and, in 2022, disclosed that it was the target of a cyberattack that disrupted its IT operations. At the time, the company dismissed claims from the Cl0p ransomware gang, which claimed the attack (after initially misidentifying their victim), but the leaked data samples appeared genuine. The ICO’s investigation has now confirmed that the leaked data was indeed authentic, belonging to South Staffordshire Water Plc, and also noted that the compromise had actually started in September 2020. “We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web,” reads the ICO’s announcement. “The attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company's approach to data security and left customers and employees vulnerable for nearly two years.” According to the ICO, the breach occurred through a phishing attack that enabled the attackers to install malware on the firm’s systems. The malware remained undetected for 20 months. Between May and July 2022, the attacker escalated privileges across South Staffordshire Plc’s network and gained domain administrator access. The breach was only discovered in July 2022 after IT performance problems triggered an investigation. The leaked data included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers. The ICO has found multiple security failures leading to this data exposure incident, including: Insufficient controls to prevent privilege escalation Monitoring covered only about 5% of the IT environment Use of obsolete software, such as Windows Server 2003 Poor vulnerability management and missing security patches Lack of regular internal and external security scans These failures constitute a violation of UK data protection requirements, the regulator said, which is why a fine was imposed. The initial amount was larger, but because South Staffordshire admitted liability early, cooperated with the investigation, and agreed to settle without appeal, the ICO reduced the penalty by 40%. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: GM agrees to $12.75M California settlement over sale of drivers’ dataTrellix source code breach claimed by RansomHouse hackersKarakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prisonGerman authorities identify REvil and GandCrab ransomware bossesInterpol operation Synergia takes down 1,300 servers used for cybercrime","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fuk-fines-water-supplier-13m-for-exposing-data-of-664k-customers\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F03\u002F03\u002FUK-ICO.jpg","2026-05-12T20:17:19+00:00","2026-05-12T22:00:10.713539+00:00",8,[18,21,24],{"name":19,"type":20},"South Staffordshire Water Plc","vendor",{"name":22,"type":23},"Cl0p","threat_actor",{"name":25,"type":26},"Windows Server 2003","product","d95477d7-eb04-4fad-a2dc-be1428040ce7",{"id":27,"icon":29,"name":30,"slug":31},null,"Privacy Fines","privacy-fines",[33,38,43],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"23e81061-ab06-449f-8807-cbe4bc305045","UK Data Protection","uk-data-protection",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[49],{"type":50,"value":22,"context":51},"malware","Ransomware gang that initially claimed the South Staffordshire Water attack"]