South Staffordshire Water
A UK critical national infrastructure water utility serving the West Midlands, fined £963,900 by the ICO in May 2026 for a 2022 ransomware breach with 20-month dwell time.
Last refreshed: 20 May 2026 · Appears in 1 active topic
If 95 per cent of a water company's IT was unmonitored for 20 months, how many others are in the same position?
Timeline for South Staffordshire Water
Received £963,900 fine after a 20-month attacker dwell exposing 633,887 individuals' data and 4.1 terabytes of exfiltrated data
Cybersecurity: Threats and Defences: ICO fines South Staffs Water £963,900- Why was South Staffordshire Water fined by the ICO?
- The ICO fined South Staffordshire Water £963,900 on 12 May 2026 for a 2022 ransomware breach. An attacker remained undetected for 20 months, reached domain administrator level, and exfiltrated 4.1 terabytes of data. The ICO found only 5 per cent of the IT estate was under monitoring.Source: ICO
- How much was the South Staffordshire Water fine?
- £963,900. The ICO applied a 40 per cent reduction for early admission of liability. The fine covered 633,887 affected individuals under UK GDPR Article 32 and the Data Protection Act 2018.Source: ICO
- What went wrong technically in the South Staffordshire Water cyberattack?
- The attacker entered via a phishing email and remained undetected for 20 months because only 5 per cent of the IT estate was under active monitoring. There was no Privileged Access Management and no segmentation between corporate IT and operational technology, allowing lateral movement to domain administrator level.Source: ICO
- Will other UK water companies be fined after the South Staffordshire ICO precedent?
- The ICO's South Staffordshire enforcement explicitly applies the Capita template to critical national infrastructure water utilities. Companies such as Trent Water face the same Article 32 security-of-processing standard and the same ICO enforcement docket before the Cyber Security and Resilience Bill reaches Royal Assent.
Background
South Staffordshire Water (trading as South Staffs Water and Cambridge Water) is a UK water utility supplying drinking water to approximately 1.6 million customers across the West Midlands and Cambridgeshire. The company is a subsidiary of South Staffordshire Plc and operates under Ofwat regulation. It is classified as Critical National Infrastructure under UK Government sector designations, providing essential services to households and businesses including parts of the industrial West Midlands conurbation.
The Information Commissioner's Office fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 on 12 May 2026 for a 2022 ransomware intrusion. An attacker entered via a phishing email, dwell time ran undetected for 20 months, and the attacker reached domain administrator privileges and exfiltrated 4.1 terabytes of data to the dark web before detection. The ICO found the company had monitoring coverage of only 5 per cent of its IT estate, lacked Privileged Access Management, and had no segmentation between corporate IT and operational technology. The fine covered 633,887 affected individuals and included a 40 per cent reduction for early admission of liability. The ICO's enforcement route was UK GDPR Article 32 and the Data Protection Act 2018, not the Cyber Security and Resilience Bill, which remains at Commons Report Stage.
The South Staffordshire fine establishes a regulatory precedent that NCSC technical guidance on monitoring coverage and network segmentation now carries enforceable weight via ICO interpretation of existing law, before Parliament finalises the new statutory cyber regime for CNI. The Capita precedent (2023) was the ICO's previous benchmark for CNI-adjacent organisations; South Staffordshire is the first explicit CNI water-sector enforcement action.