-
The Information Commissioner’s Office fined South Staffordshire Plc £963,900 after a cyber attack exposed the personal data of 633,887 customers and employees.
-
A single phishing email opened the door for hackers, who went undetected inside the company’s systems for nearly two years.
-
Law company Leigh Day is now representing around 6,500 affected individuals, with compensation claims expected to be substantial.
A cyber attack that started with one phishing email ended with the personal data of over 630,000 people sitting on the dark web and a fine of nearly £1 million landing on the company responsible.
The Information Commissioner’s Office (ICO) has fined South Staffordshire Plc £963,900 following a serious breach that exposed the information of 633,887 customers and employees connected to its Cambridge Water subsidiary. The ICO’s Monetary Penalty Notice traced the attack back to September 2020, with the most active phase running between May and July 2022.
How One Email Brought Down Two Years of Security
The attack began simply. A South Staffordshire Water employee received a phishing email and opened an attachment, giving the attacker a foothold inside the company’s systems. From that entry point, the hacker installed software and settled in quietly.
The intrusion went undetected for nearly two years. In May 2022, the attacker began moving laterally through the IT network. The company only discovered the breach in July 2022, when internal IT issues triggered an investigation. That investigation turned up a ransom note that the hacker had tried to send to staff members but failed.
Between August and November 2022, South Staffordshire confirmed that more than 4.1 terabytes of stolen data had been released onto the dark web. The leaked information included full names, email addresses, HR records belonging to employees, and customer account details.
The ICO investigation identified several security failures that allowed the attack to go as far as it did. Investigators found that the company had inadequate controls that let the hacker escalate to administrator privileges, weak monitoring and logging practices, obsolete and unsupported software still running on some devices, and critical systems left unpatched with no regular in-house or external security monitors in place.
The Human Cost Behind the Fine
Cambridge Water’s managing director, Elena Karpathakis, acknowledged the impact on customers. She said the company apologized for the worry and disruption the attack caused, adding that once the breach came to light, the team moved quickly to contain it, support those affected, and strengthen protections.
According to Karpathakis, the company has continued investing significantly in its cybersecurity since 2022, including improvements to governance and monitoring, and intends to keep that focus as threats continue to develop.
The fine, however, signals that good intentions after the fact carry limited weight when the underlying security failures had no prevention. The ICO’s penalty reflects the scale of the exposure and the gap between the company’s security posture and reasonable expectations.
This isn’t an isolated regulatory action. An Australian court fined FIIG Securities $2.5 million for cybersecurity failures, showing that regulators in multiple jurisdictions are cracking down on inadequate data protection.
For the people whose data ended up on the dark web, the consequences extend beyond a regulatory notice.
Compensation Claims Build as Legal Action Begins
Law firm Leigh Day is currently representing approximately 6,500 individuals affected by the event. Sean Humber ( partner and group claims information breach specialist at Leigh Day) described the fine as recognition of serious failures that left hundreds of thousands of customers exposed to the risk of fraud.
His colleague Gene Matthews added that those personally affected likely have strong grounds for compensation, both for the distress due to the breach and for any financial losses that followed. According to Matthews, each person’s amount will vary from another, but given the sensitivity of the information involved, Matthew expects many substantial claims.
The Cambridge Water breach sits within a broader pattern that regulators and security researchers have flagged repeatedly. Phishing remains one of the most common entry points for attackers, and organisations that leave basic controls unaddressed continue to pay the price, sometimes years after the initial compromise.
In this case, a single opened attachment in 2020 set off a chain of events that took two years to surface and will likely take several more to fully resolve.
