The Data Commissioner’s Workplace has fined South Staffordshire Water Plc and mum or dad firm South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that uncovered the non-public knowledge of 663,887 prospects and workers.
The corporate provides 330 million liters of ingesting water to 1.6 million shoppers every day and, in 2022, disclosed that it was the goal of a cyberattack that disrupted its IT operations.
On the time, the corporate dismissed claims from the Cl0p ransomware gang, which claimed the assault (after initially misidentifying their sufferer), however the leaked knowledge samples appeared real.
The ICO’s investigation has now confirmed that the leaked knowledge was certainly genuine, belonging to South Staffordshire Water Plc, and in addition famous that the compromise had really began in September 2020.
“We now have fined South Staffordshire Plc and South Staffordshire Water Plc (collectively South Staffordshire) £963,900 following a severe cyber assault that resulted within the private data of 633,887 individuals being extracted and revealed on the darkish net,” reads the ICO’s announcement.
“The assault, which may be traced again to September 2020 however largely occurred between Could and July 2022, uncovered vital failures within the firm’s method to knowledge safety and left prospects and workers weak for practically two years.”
In response to the ICO, the breach occurred via a phishing assault that enabled the attackers to put in malware on the agency’s methods. The malware remained undetected for 20 months.
Between Could and July 2022, the attacker escalated privileges throughout South Staffordshire Plc’s community and gained area administrator entry.
The breach was solely found in July 2022 after IT efficiency issues triggered an investigation.
The leaked knowledge included full names, bodily addresses, e mail addresses, cellphone numbers, dates of beginning, buyer account credentials, checking account particulars, and worker HR knowledge similar to Nationwide Insurance coverage numbers.
The ICO has discovered a number of safety failures resulting in this knowledge publicity incident, together with:
- Inadequate controls to forestall privilege escalation
- Monitoring lined solely about 5% of the IT atmosphere
- Use of out of date software program, similar to Home windows Server 2003
- Poor vulnerability administration and lacking safety patches
- Lack of standard inner and exterior safety scans
These failures represent a violation of UK knowledge safety necessities, the regulator mentioned, which is why a superb was imposed.
The preliminary quantity was bigger, however as a result of South Staffordshire admitted legal responsibility early, cooperated with the investigation, and agreed to settle with out enchantment, the ICO lowered the penalty by 40%.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
