GoKawiilThe Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees.
The company supplies 330 million liters of drinking water to 1.6 million consumers daily and, in 2022, disclosed that it was the target of a cyberattack that disrupted its IT operations.
At the time, the company dismissed claims from the Cl0p ransomware gang, which claimed the attack (after initially misidentifying their victim), but the leaked data samples appeared genuine.
The ICO’s investigation has now confirmed that the leaked data was indeed authentic, belonging to South Staffordshire Water Plc, and also noted that the compromise had actually started in September 2020.
“We have fined South Staffordshire Plc and South Staffordshire Water Plc (together South Staffordshire) £963,900 following a serious cyber attack that resulted in the personal information of 633,887 people being extracted and published on the dark web,” reads the ICO’s announcement.
“The attack, which can be traced back to September 2020 but largely took place between May and July 2022, exposed significant failures in the company's approach to data security and left customers and employees vulnerable for nearly two years.”
According to the ICO, the breach occurred through a phishing attack that enabled the attackers to install malware on the firm’s systems. The malware remained undetected for 20 months.
Between May and July 2022, the attacker escalated privileges across South Staffordshire Plc’s network and gained domain administrator access.
The breach was only discovered in July 2022 after IT performance problems triggered an investigation.
The leaked data included full names, physical addresses, email addresses, phone numbers, dates of birth, customer account credentials, bank account details, and employee HR data such as National Insurance numbers.
... continue reading