CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

South Staffordshire Water data breach and ICO penalty after prolonged undetected intrusion

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A UK water company, South Staffordshire Water, was fined £980,000 by the UK Information Commissioner’s Office (ICO) following a two-year undetected intrusion that compromised personal data of 633,887 individuals. The breach began with a phishing email on September 11, 2020, leading to installation of Get2 downloader and SDBbot remote access trojan. The threat actor moved laterally using a domain admin account and RDP from May 17 to August 4, 2022, before the breach was discovered on July 15, 2022 due to IT performance anomalies. A ransom note was found on July 26, 2022, and the actor claimed to have exfiltrated 4.1TB of sensitive PII, including HR data, bank details, and Priority Services Register information. The fine was reduced from £1.6m for not contesting the penalty. The ICO cited multiple failures: lack of least privilege enforcement, inadequate monitoring (only 5% of environment monitored), unsupported legacy software (e.g., Windows Server 2003), and unpatched critical systems. The regulator emphasized that critical infrastructure providers handling large volumes of personal data must implement established security controls proactively.

Timeline

  1. 12.05.2026 11:30 1 articles · 2h ago

    South Staffordshire Water fined £980k after two-year undetected breach compromising 633k individuals

    A phishing email on September 11, 2020, led to installation of Get2 downloader and SDBbot RAT, enabling domain admin access and lateral movement between May 17 and August 4, 2022. The breach was discovered on July 15, 2022, due to IT performance issues, and reported to the ICO on July 24, 2022. A ransom note was found on July 26, 2022. The attacker exfiltrated 4.1TB of sensitive PII affecting 633,887 individuals, including HR data and bank details. The ICO fined the company £980,000 for failures in monitoring, privilege management, patching, and use of unsupported software.

    Show sources
    Open in new tab

Information Snippets

  • Initial compromise occurred via phishing email on September 11, 2020, leading to installation of Get2 downloader and SDBbot RAT.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Threat actor achieved domain admin access and moved laterally using RDP between May 17 and August 4, 2022, remaining undetected during this period.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Breach was discovered on July 15, 2022, following IT performance issues caused by unscheduled database exports, and reported to the ICO on July 24, 2022.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • A ransom note was found on July 26, 2022, indicating the threat actor attempted extortion despite unsuccessful delivery to staff.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Stolen data included 4.1TB of sensitive PII affecting 633,887 current and former customers and employees, representing 34% of the company’s total personal data holdings.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Compromised data types: full name, physical and email addresses, date of birth, gender, telephone numbers, National Insurance numbers, bank account details, sort codes, and Priority Services Register information (indicating disabilities).

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Security failures included absence of least privilege enforcement, inadequate monitoring (only 5% of IT environment monitored), use of unsupported legacy software (e.g., Windows Server 2003), unpatched critical systems, and lack of regular internal or external security scans.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources

  • Fine imposed was £980,000, reduced from £1.6m after the company agreed not to contest the penalty.

    First reported: 12.05.2026 11:30
    1 source, 1 article
    Show sources