Lawyers of data breach victims welcome almost £1 million fine for South Staffs Water over cyber attack affecting more than 600,000 people

Leigh Day is currently acting for over 6,500 affected customers in claims for compensation for the anxiety, distress and/or financial losses caused by the data breach.

In its Monetary Penalty Notice, the ICO confirmed that the cyber attack, which could be traced back to September 2020 but largely took place between May and July 2022, was a result of significant failures in the company's approach to data security which left customers and employees’ personal data vulnerable.

South Staffordshire suffered a cyber attack which began with a successful phishing email - a scam message aimed at tricking people. In this case, the recipient opened an attachment which enabled the attacker to install malicious software which remained undetected within the organisation's systems for 20 months. Then, in May 2022, the hacker moved through the IT network.

The breach was only identified when IT performance issues prompted an internal investigation by South Staffordshire in July 2022 whereupon they discovered a ransom note that the hacker had unsuccessfully attempted to distribute to certain members of staff. Between August and November 2022, South Staffordshire detected that over 4.1 terabytes of stolen data had been published on the dark web, including the personal information of 633,887 people. The published information included:

• Personal details such as full name, physical address, email address, date of birth, gender and telephone number.
• For employees, HR information including National Insurance numbers, employee numbers, usernames and passwords.
• For customers, account information (including username and password for South Staffordshire Water online services), customer reference number, financial status information and bank account number and sort code.
• For a small percentage of customers on the Priority Services Register, information from which disabilities could be inferred.

The ICO investigation found that South Staffordshire failed to implement a range of security controls required under UK data protection law. These failures included:

• Inadequate controls that enabled the attacker to escalate to administrator privileges after gaining an initial foothold on the network.
• Inadequate monitoring and logging - only 5% of the IT environment was being monitored, meaning malicious activity was not detected.
• Use of obsolete, unsupported software on some devices.
• Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.

During the ICO’s investigations, South Staffordshire admitted liability, accepted the ICO’s findings and agreed to pay a final penalty of £963,900 without appeal.

Sean Humber, Leigh Day partner and group claims data breach specialist, said:

“This significant fine recognises South Staffordshire’s serious failures that resulted in the personal information of hundreds of thousands its own customers being stolen, leaving them at a huge risk of being targeted by fraudsters.”

Gene Matthews, Leigh Day partner and group claims data breach specialist, said:

“Those personally affected by the data breach are likely to have strong claims for compensation for the distress caused by the breach, as well as any financial losses suffered.  While the amounts are likely to vary from individual to individual, given the sensitivity of the information, many of the claims for compensation are likely to be substantial.”

If you were affected by the data breach and wish further information in relation to joining over 6,500 people in bringing a claim for compensation, please click here.