Water firm fined after customers' details hacked

Water firm fined after customers' details hacked4 hours agoShareSaveAdd as preferred on GoogleOprah FlashWest Midlands

BBC A close-up of a chrome kitchen tap with a few drops of water dripping out

BBCThe hack went undetected by the firm for 20 months, regulators found

A water company has been fined after hundreds of thousands of customers had their personal data hacked.

South Staffordshire, made up of South Staffordshire Plc and South Staffordshire Water Plc, was ordered to pay £963,900 by the Information Commissioner's Office (ICO) following the cyber attack, traced back to September 2020.

The firm supplies south Staffordshire, Walsall, Dudley, north Warwickshire, north Worcester and south Derbyshire.

Personal information of 633,887 people was taken and published on the dark web in the attack, which largely took place between May and July 2022, the ICO found.

The watchdog and water company agreed a voluntary settlement and South Staffordshire made an early admission of liability, agreeing to pay the penalty without appeal.

A phishing email was used to launch the hack which allowed the cyber attackers to install malicious software and it remained undetected within the organisation's systems for 20 months.

In May 2022, the hacker went through the firm's network and took over administrator privileges — the highest level of system access to the IT network, the ICO said.

Ransom note

The breach came to light when IT performance issues prompted an internal investigation on 15 July 2022.

The company reported a personal data breach a few days later before, on 26 July 2022, South Staffordshire found a ransom note that the hacker had unsuccessfully attempted to send to certain members of staff.

Between August and November 2022, South Staffordshire discovered more than 4.1 terabytes (TB, each equal to 1,000GB) of data were published on the dark web.

They included bank details of customers and National Insurance numbers of staff.

The ICO's investigation found South Staffordshire failed to bring in adequate security controls under UK data protection law, which allowed the hackers to get administrator access.

They were also allowed to operate largely undetected due to minimal monitoring of their activities, the use of obsolete systems by the firm and take advantage of failures including a lack of regular security scans.

Ian Hulme, from the ICO, said: "Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."

Follow BBC Stoke & Staffordshire on BBC Sounds, Facebook, X and Instagram.