South Staffs Water fined nearly £1m
Leigh Day welcomes significant fine imposed on South Staffordshire for a major data breach affecting customers and employees
Lawyers representing victims of a data breach have applauded the Information Commissioner's Office (ICO) for imposing a £963,900 fine on South Staffordshire Plc and South Staffordshire Water Plc due to a cyber-attack that exposed the personal information of 633,887 individuals on the dark web. The breach, which occurred primarily between May and July 2022 but was triggered by a phishing email back in September 2020, stemmed from serious lapses in the company's data security measures. Leigh Day is currently advocating for over 6,500 impacted customers, helping them pursue claims for the anxiety, distress and financial losses they have endured.
The ICO's investigation revealed that South Staffordshire showcased significant shortcomings in their data protection protocols, which allowed attackers to exploit vulnerabilities in their network. The cyber incident was initiated when the attacker successfully deceived an employee into opening a phishing email attachment, allowing malware to infiltrate the company's systems undetected for 20 months. It wasn’t until internal IT issues prompted an investigation in July 2022 that the breach was unearthed. A ransom note was discovered, indicating the prior presence of hackers. By November 2022, over 4.1 terabytes of sensitive data had surfaced on the dark web, including crucial personal details of customers and employees.
The published data comprised essential personal information such as full names, addresses, contact details, and in some cases, even financial data including bank account numbers. Particularly concerning was the exposure of information that could infer disabilities for individuals on the Priority Services Register. The ICO found that the company failed to implement necessary security measures mandated by UK data protection laws, including inadequate monitoring, use of outdated software, and insufficient vulnerability management practices.
Throughout the ICO's investigation, South Staffordshire accepted responsibility and acknowledged the findings of the inquiry. Consequently, the company agreed to the penalty without contesting the decision. Leigh Day partners, Sean Humber and Gene Matthews, emphasised the implications of the breach and the potential for substantial compensation claims. Humber stated, “This significant fine recognises South Staffordshire’s serious failures that resulted in the personal information of hundreds of thousands of its own customers being stolen, leaving them at a huge risk of being targeted by fraudsters.” Meanwhile, Matthews highlighted that affected individuals "are likely to have strong claims for compensation for the distress caused by the breach, as well as any financial losses suffered." This incident underscores the critical importance of stringent data protection measures to safeguard sensitive information against cyber threats
Copyright & permissions
