The Information Commissioner’s Office (ICO) has imposed a fine of £963,900 on South Staffordshire Water and its parent company after the personal data of 633,887 people was extracted and published on the dark web following a cyberattack.
-
UK water company fined £963,900 after hackers lurked undetected in its network for 20 months, stealing 633,887 customers' personal data.
-
Company was still running obsolete Windows Server 2003 software and barely monitored its IT systems.
-
Hackers published 4.1 terabytes of data on the dark web, including names, addresses, bank details, and passwords.
In September 2020, South Staffordshire Water received a phishing email containing an attachment. When the recipient opened the attachment, malware was installed that provided the attackers with undetected access to the company’s corporate network for 20 months.
In May 2022, the attacker began moving through South Staffordshire Water’s network and gained administrator-level access. The unauthorized access was detected in July 2022, which prompted an internal investigation immediately.
Between August and November 2022, the water company discovered that over 4.1 terabytes of data had been published on the dark web. This included personal details of 633,887 people, such as full names, postal addresses, email addresses, dates of birth, phone numbers, and gender information. For a small number of customers, information about disabilities was exfiltrated and published as well.
In addition, human resource information for workers was leaked, as well as customer account information, such as usernames and passwords for South Staffordshire Water online services and bank account numbers.
According to the ICO, the privacy and data protection authority (DPA) in the United Kingdom, the water company and its parent company failed at many levels. First of all, the attackers easily got administrator-level privileges once they accessed the network.
Curious what others think about this story? Contribute your thoughts to the debate below.
On top of that, only a small portion of the company’s IT environment was actively being monitored. That’s why the malicious activities of the attackers were undetected for so long.
Furthermore, South Staffordshire Water used obsolete, end-of-life software on some devices, including Windows Server 2003. Lastly, the water company lacked proper security protocols, causing critical systems to go unpatched.
Check if your data has been leaked
“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra,” Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, said.
South Staffordshire Water and its parent company admitted to their mistakes, accepted the ICO’s findings, and agreed to pay a penalty of £963,900 without appeal.
South Staffordshire Water previously stated that the cyberattack didn’t affect the safety of water supplies and that operational systems remained secure during the incident.
FAQ
Is Staffordshire Water safe to drink?
Yes, South Staffordshire Water is safe to drink. The company's water quality meets UK and EU drinking water standards, and the recent cyberattack that exposed customer data did not affect the safety of water supplies or operational systems. The breach was a data security issue, not a water quality issue.
IS South Staffs water hard or soft?
South Staffordshire Water supplies hard water. According to the company, all of their water is classified as "hard," which is typical for more than 60% of UK homes. The water picks up minerals like calcium and magnesium as it passes through rocks and soil before being treated and supplied to customers.
Where does South Staffordshire Water come from?
South Staffordshire Water sources its water from a combination of boreholes and rivers in the region. The water is drawn from underground aquifers (via boreholes) that tap into natural groundwater reserves, as well as surface water sources like local rivers. After extraction, the water is treated at treatment works to meet drinking water standards before being distributed to customers across the South Staffordshire area and parts of the West Midlands.
FAQ by nexos.ai, reviewed by Cybernews staff.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked