
South Staffordshire Water
A UK critical national infrastructure water utility serving the West Midlands, fined £963,900 by the ICO in May 2026 for a 2022 ransomware breach with 20-month dwell time.
Last refreshed: 20 May 2026 · Appears in 1 active topic
If 95 per cent of a water company's IT was unmonitored for 20 months, how many others are in the same position?
Timeline for South Staffordshire Water
Received £963,900 fine after a 20-month attacker dwell exposing 633,887 individuals' data and 4.1 terabytes of exfiltrated data
Cybersecurity: Threats and Defences: ICO fines South Staffs Water £963,900Why was South Staffordshire Water fined by the ICO?
How much was the South Staffordshire Water fine?
What went wrong technically in the South Staffordshire Water cyberattack?
Background
South Staffordshire Water (trading as South Staffs Water and Cambridge Water) is a UK water utility supplying drinking water to approximately 1.6 million customers across the West Midlands and Cambridgeshire. The company is a subsidiary of South Staffordshire Plc and operates under Ofwat regulation. It is classified as Critical National Infrastructure under UK Government sector designations, providing essential services to households and businesses including parts of the industrial West Midlands conurbation.
The Information Commissioner's Office fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 on 12 May 2026 for a 2022 ransomware intrusion. An attacker entered via a phishing email, dwell time ran undetected for 20 months, and the attacker reached domain administrator privileges and exfiltrated 4.1 terabytes of data to the dark web before detection. The ICO found the company had monitoring coverage of only 5 per cent of its IT estate, lacked Privileged Access Management, and had no segmentation between corporate IT and operational technology. The fine covered 633,887 affected individuals and included a 40 per cent reduction for early admission of liability. The ICO's enforcement route was UK GDPR Article 32 and the Data Protection Act 2018, not the Cyber Security and Resilience Bill, which remains at Commons Report Stage.
The South Staffordshire fine establishes a regulatory precedent that NCSC technical guidance on monitoring coverage and network segmentation now carries enforceable weight via ICO interpretation of existing law, before Parliament finalises the new statutory cyber regime for CNI. The Capita precedent (2023) was the ICO's previous benchmark for CNI-adjacent organisations; South Staffordshire is the first explicit CNI water-sector enforcement action.