UK water company allowed hackers to lurk undetected for nearly two years, regulator finds

A British utilities company supplying drinking water to 1.6 million people failed to discover hackers hidden inside its computer network for nearly two years before the intrusion came to light through an IT performance slowdown, the UK's data protection regulator has found.

The Information Commissioner's Office (ICO) fined South Staffordshire Water £963,900 ($1.3 million) on Monday over an attack by the Cl0p ransomware group that led to the personal data of 633,887 customers and employees being published in August 2022.

According to the penalty notice, the initial access occurred almost two years earlier in September 2020 when an employee opened a malicious email attachment, installing software that gave the attacker a foothold on the corporate network.

The threat actor then remained hidden until May 2022 before beginning to move laterally across systems using a domain administrator account, the highest level of system access available.

The company did not identify the intrusion until July 2022, when the IT performance issues prompted an internal investigation. Two weeks later the company discovered a ransom note the attacker had unsuccessfully attempted to distribute to certain members of staff.

After the incident, South Staffordshire detected approximately 4.1 terabytes of data published on the dark web, including names, addresses, dates of birth, bank account numbers and sort codes, National Insurance numbers, and, for a small percentage of customers on the company's Priority Services Register, information from which disabilities could be inferred.

The ICO's investigation identified four specific security failures, including implementing the principle of least privilege — a standard control that limits user access to only what is needed for their role — allowing the threat actor to move freely across the network using a domain administrator account.

As of December 2021, more than a year after the attacker first gained access, an outsourced security operations center was monitoring just 5% of the company's IT environment. The third party was not identified in the ICO’s report, which said endpoint telemetry and logging were not integrated into the company's security monitoring platform.

Some devices were also still running Windows Server 2003, an operating system whose extended support ended in July 2015. 

When asked by the ICO to provide records of any internal or external vulnerability scans conducted between September 2020 and May 2022, the company confirmed no such scans existed for either category.

Two domain controllers also remained unpatched against a critical vulnerability known as ZeroLogon which allows rapid escalation of privileges and was first published in August 2020. The attacker successfully exploited this vulnerability during the incident.

“Waiting for performance issues or a ransom note to discover a breach is not acceptable,” said Ian Hulme, the ICO's Interim Executive Director for Regulatory Supervision, adding that “proactive security is a legal requirement, not an optional extra.”

Incidents and reactions

The breach became public in August 2022 when, in a bungled extortion attempt, the Cl0p group claimed to have stolen data from a different water supplier, Thames Water that serves around 15 million people in and around London.

At the time, the group claimed to have been capable of altering the chemical composition of the water supply, although this was disputed by South Staffordshire. The penalty notice makes no reference to any compromise of operational or water treatment systems.

The ICO placed the infringements in the medium seriousness category and reduced the total fine due to South Staffordshire’s cooperation, early admission of liability and mitigation steps. A further discretionary reduction was applied, though the reasoning is redacted in the published notice.

South Staffordshire entered a voluntary settlement earlier this year, securing a 40% discount, and has agreed not to appeal against the ICO’s decision.

The fine comes as British water suppliers face a growing number of cyberattacks. Five incidents were reported to the Drinking Water Inspectorate between January 2024 and October 2025 — a record number in any two-year period, as reported by Recorded Future News, which obtained the figures under freedom of information laws in November 2025.

Those reports were made voluntarily. Under the current NIS Regulations, water suppliers are only required to notify authorities of cyber incidents that cause actual disruption to supplies. South Staffordshire's breach, which became public in 2022, did not meet that threshold.

The U.K. government’s Cyber Security and Resilience Bill, intended to expand mandatory reporting requirements and improve security standards for critical infrastructure operators, is expected to be introduced to Parliament this year.

Although there have been ransomware attacks against the IT office systems used by water companies — including the companies who made the above reports in the U.K., and Aigües de Mataró in Spain — it is extremely rare for cyberattacks on water suppliers to actually disrupt services.

In one rare case of a successful attack on an operational technology (OT) component, residents of a remote area on Ireland’s west coast were left without water for several days in December 2023 when a pro-Iran hacking group indiscriminately targeted facilities using a piece of equipment the hackers complained was made in Israel.

The U.S. federal government had issued a warning about the exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector. Attacks on PLCs, core technology components in a lot of industrial control systems, are one of the main concerns of critical infrastructure defenders.

Initiatives to improve the security of water systems in the United States faltered under the Biden administration when water industry groups partnered with Republican lawmakers to put a halt to the federal efforts, despite significant increases in the number of ransomware attacks and state-sponsored intrusions.

Last year, Canadian authorities warned of an incident in which hacktivists changed the water pressure at one local utility among a spate of attacks interfering with industrial control systems.

South Staffordshire’s chief executive, Charley Maher, said: “We accept the Information Commissioner’s Office’s decision relating to the cyber attack our Group experienced in 2022, and are sorry for the worry and concern it caused for customers and employees. We took immediate action to contain the incident, support those impacted and reduce the risk of recurrence.

“We have invested significantly to further strengthen our cyber security resilience, governance and monitoring, and we continue to enhance our capabilities as the threat landscape evolves. Protecting customer and employee information is a responsibility we take extremely seriously, and we remain focused on learning from this incident and maintaining strong safeguards across the Group.”