South Staffordshire Water discovered hackers only after systems slowed down
A UK water supplier allowed hackers to remain hidden inside its computer systems for almost two years before discovering the breach after unexplained IT slowdowns, Britain’s data protection watchdog has found.
The Information Commissioner’s Office (ICO) has fined South Staffordshire Water £963,900 after a cyberattack linked to the Cl0p ransomware group exposed the personal data of more than 630,000 customers and employees.
According to the regulator, the initial breach began in September 2020 when an employee opened a malicious email attachment, unknowingly giving attackers access to the company’s internal network.
The hackers were able to remain undetected until May 2022, when they began moving across systems using a domain administrator account, one of the highest levels of access available within the network.
The company only identified the intrusion in July 2022 after investigating widespread performance problems affecting its IT systems. Two weeks later, staff discovered a ransom note that attackers had attempted to distribute internally.
The breach first became public in August 2022 after the Cl0p ransomware group mistakenly claimed it had stolen data from Thames Water, which supplies around 15 million people in and around London.
At the time, the hackers claimed they had the capability to alter the chemical composition of water supplies, although those claims were strongly disputed by South Staffordshire.
Personal data leaked
The ICO said around 4.1 terabytes of data were published online, including names, addresses, dates of birth, bank account details and National Insurance numbers.
In some cases, information indicating disabilities among vulnerable customers registered for priority support services was also published online.
Investigators concluded that several basic cyber security measures had not been implemented.
Among the failings identified were the absence of routine vulnerability scans, the continued use of outdated Windows Server 2003 systems, and the failure to patch a critical security flaw known as “ZeroLogon”, which had been publicly disclosed in 2020.
The watchdog also found that, by late 2021, an outsourced security operations centre was monitoring only 5% of the company’s IT environment.
Ian Hulme, the ICO’s interim executive director for regulatory supervision, said organisations responsible for critical infrastructure were expected to maintain strong protections.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable,” he said.
“Customers do not have the choice over which water company serves them – they are required to share their personal information and place their trust in that provider.”
The ICO’s findings made no reference to any compromise of operational water treatment systems.
The regulator reduced the penalty after the company admitted liability early, cooperated with investigators and agreed not to appeal the decision.
South Staffordshire also secured a further discount through a voluntary settlement.
Cyberattacks targeting Britain’s water
The case comes amid growing concern over cyberattacks targeting Britain’s water industry.
The UK government is expected to introduce new legislation later this year aimed at strengthening cyber security requirements for operators of critical national infrastructure.
South Staffordshire chief executive Charley Maher said the company had invested heavily in improving its cyber defences since the attack.
“We are sorry for the worry and concern it caused for customers and employees,” he said.
“We continue to enhance our capabilities as the threat landscape evolves.”
Leave a comment