The ICO (Information Commissioner’s Office) has fined South Staffordshire Plc and its subsidiary South Staffordshire Water Plc £963,900 after the personal data of 633,887 customers and employees was compromised in a cyber attack and subsequently published on the dark web.
The penalty is among the largest the ICO has issued to an organisation for a data security failure.
What happened?
The attack began in September 2020 when an employee mistakenly opened a malicious attachment in a phishing email, thereby installing malware on South Staffordshire’s network.
This malware went undetected for 20 months until, in May 2022, the threat actors used it to move laterally through the network and obtain administrator privileges, giving them unfettered access to South Staffordshire’s systems.
The breach was discovered only when IT performance issues prompted an internal investigation in July 2022. A ransom note, which the attackers had tried to distribute to staff, was found days later.
By the end of 2022, South Staffordshire confirmed that over 4.1 terabytes of data had been exfiltrated and published on the dark web, including the personal details of 633,887 people: names, addresses, bank account details, online account credentials and, for some customers on the Priority Services Register, information from which disabilities could be inferred.
What does this mean for those affected?
Emma Young, a senior data privacy consultant at GRC Solutions, explains why this case deserves particular attention:
“This breach is deeply worrying for everyone affected, especially given the sensitivity of the personal and financial information reported to have been exposed. Water companies hold a wealth of sensitive information, including whether someone is on the ‘Priority Services Register’, which indicates someone in their household has a vulnerability. We know from the ICO report that information about disabilities and financial hardship was compromised and made available on the dark web – an ideal resource for scammers.
“For customers, this raises real concerns about privacy, fraud and the long-term consequences of having sensitive personal data compromised. It also underlines how essential it is for organisations responsible for critical public services to have strong, proactive cyber security and data protection measures in place.
“For anyone affected, I would recommend continuing to be extra cautious about unexpected calls, texts or emails even though the breach was some time ago. Keep a regular eye on your bank account and credit activity and report anything unusual immediately.
“Unfortunately, large data breaches like this are next to impossible to contain once the information is on the dark web, which is why transparency, accountability and long-term support for those affected matter just as much now as they did when the breach first came to light.”
Who was behind the attack?
The attack has been attributed to Cl0p, a Russian criminal group first observed in 2019. Cl0p operates under a RaaS (Ransomware-as-a-Service) model, in which a core group develops and maintains the malware while affiliates carry out attacks in exchange for a share of the proceeds.
This model became one of the defining features of the ransomware landscape in the early 2020s, enabling groups with relatively modest technical resources to deploy sophisticated tools against large organisations.
In June 2021 – while Cl0p’s malware was already resident inside South Staffordshire’s network – Ukrainian authorities arrested six suspected members of the gang in a joint operation with South Korean and US agencies. These arrests temporarily disrupted the group’s operations, forcing a pause between late 2021 and early 2022.
Cl0p resumed activity in May 2022 – the month it escalated its attack on South Staffordshire – and has remained active ever since. In 2023, it exploited zero-day vulnerabilities in MOVEit Transfer to breach over 2,700 organisations globally, with UK victims including the BBC, British Airways, Boots and Ofcom.
As of early 2026, it continues to operate.
How does the fine compare to other ICO enforcement action?
The UK GDPR (General Data Protection Regulation) sets out two tiers of administrative fines: less serious breaches can attract fines of up to £8.7 million or 2% of annual global turnover. The most serious infringements – breaches of fundamental data protection principles, individuals’ rights or rules on international data transfers – can attract fines of up to £17.5 million or 4% of annual global turnover, whichever is higher in each case.
The ICO applies penalties proportionately, weighing factors such as the nature and duration of the breach, the number of people affected and the degree of cooperation offered. South Staffordshire made an early admission of liability and agreed to settle without appeal, earning a 40% reduction on the intended penalty. That cooperation matters – but it doesn’t compensate for the underlying failures.
To contextualise the fine: the largest penalty in UK data protection history remains the £20 million issued to British Airways in 2020. Marriott Hotels received £18.4 million the same year. More recently, in 2025, Capita settled for £14 million – down from an intended £45 million – after a ransomware attack led to the theft of 6.6 million personal data records.
What should data controllers and processors do?
The ICO used this case to issue a direct challenge to all organisations handling personal data.
Under Article 32 of the UK GDPR, controllers and processors alike must implement TOMs (technical and organisational measures) appropriate to the risk their processing presents.
In practice, this means organisations should be actively reviewing their approach to:
- Access controls – applying least-privilege principles so that a compromised account cannot easily become a gateway to the whole network.
- Monitoring – ensuring sufficient coverage of the IT environment and acting on alerts promptly.
- Patch management – keeping all systems updated and retiring end-of-life software.
- Vulnerability scanning – conducting regular internal and external security assessments.
- Staff training – phishing remains one of the most common attack vectors; awareness training is a basic and effective control.
- Incident response – having a tested plan for how to contain, investigate and report a breach when one occurs.
- Breach notification – Article 33 of the UK GDPR requires controllers to notify the ICO of a breach without undue delay and, where feasible, within 72 hours. Processors must notify their controllers without undue delay.
What should we learn from this incident?
The South Staffordshire case is not unusual in how it began. Phishing emails are one of the most common entry points for attackers and Cl0p was among the most prolific ransomware operations of the period.
What makes this incident unusual is the duration: 20 months of undetected access, followed by the publication of more than 4 terabytes of personal data.
As Ian Hulme, the ICO’s interim executive director for regulatory supervision, put it: “Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
How, then, can you ensure your data isn’t misused without your knowledge?
How to protect your data from misuse
Data seeding is the practice of planting synthetic data, also known as honey tokens or canary tokens, into a database, allowing you to can monitor how the information is being handled and identify when it has been breached.
Used alongside other TOMs, it can help you protect the personal data you process and reduce the risk of data breaches.