The Information Commissioner's Office ("ICO") has recently issued a monetary penalty of £963,900 against South Staffordshire Plc and South Staffordshire Water Plc ("South Staffordshire"). South Staffordshire Water Plc is a primary supplier of clean water to approximately 1.6 million people across parts of Staffordshire, the West Midlands, surrounding counties and Cambridge.
What happened?
The incident was discovered on 15 July 2022, after South Staffordshire had noticed performance issues in its IT systems and began an investigation. That investigation revealed unscheduled exports of its database, which held both customer and employee data, and anomalous server and database performance. A third party security service provider was quickly engaged and the forensic investigation discovered that South Staffordshire had been subject to a cyber-attack, with the threat actor accessing and controlling a number of internal devices.
The investigation further revealed that the initial access had in fact occurred nearly two years earlier, on 11 September 2020, when an individual opened a malicious email attachment following a successful phishing attempt. This had led to the installation of tools that provided the threat actor with access to South Staffordshire's network and 20 different endpoints were accessed before 4 August 2022.
Between 25 August 2022 and 18 November 2022, approximately 4.121 TB of exfiltrated data was published by threat actor on the dark web, affecting 633,887 UK data subjects. The published data included personal details such as names, addresses, HR information including National Insurance numbers, financial data including bank account numbers and, for a small percentage of customers, information from which physical health conditions or disabilities could be inferred.
South Staffordshire self-reported the breach to the ICO on 24 July 2022.
The ICO investigation and response
The ICO found that South Staffordshire had demonstrated a number of failures, including:
- a failure to properly implement the principle of least privilege, i.e. only providing the minimum amount of access to users required to perform their role;
- a failure to implement adequate security monitoring and logging: at times during the relevant period South Staffordshire had only monitored 5% of its IT environment, meaning that it did not pick up on the relevant red flags;
- South Staffordshire was running out of date software systems which posed a security risk; and
- a failure to manage and report on vulnerabilities within its cyber environment: during the relevant period South Staffordshire did not run a single vulnerability scan.
Ultimately, South Staffordshire had failed to proactively protect against cyber-attacks by providing adequate software or engaging in appropriate IT security practices to mitigate risk. Whilst the ICO did reduce the potential liability for South Staffordshire on the basis that it self-reported, was wholly cooperative with its investigation and implemented remedial improvements, the size of the fine remained significant given the number of data subjects affected, the level of damage suffered and the duration of the breach.
South Staffordshire entered into a voluntary settlement with the ICO, securing a 40% settlement discount which reduced the penalty from £1,606,500 to £963,900.
Lessons learned
This penalty carries important warnings for all organisations processing large volumes of personal data, and emphasises that the ICO maintains a strong position on sanctions even for those in the utilities sector. It serves as another useful example of the baseline that the ICO expects organisations, particularly larger organisations, to be adhering to in terms of cyber resilience:
- Phishing remains a primary method of attack by threat actors. Regular staff training, robust email filtering and multi-factor authentication are essential to reduce this risk.
- Implement the principle of least privilege. As recommended by the National Cyber Security Centre ("NCSC"), accounts and users should have the minimum amount of access needed to perform their role, and a tiering model should be applied to administrative accounts to limit the scope of any possible compromise.
- Security monitoring must cover the whole environment. Monitoring only a fraction of an IT environment, as was the case here, leaves significant blind spots and opens organisations up to unknown risks. Organisations should ensure security monitoring platforms are fully integrated across their networks.
- Up to date software is vital for reducing cyber risk. The NCSC is clear that once software becomes out of date, it should not be used. Running end-of-life operating systems exposes organisations to known vulnerabilities which are an easy target for threat actors to exploit. Although upgrades come with an expense, running IT environments on obsolete software may well result in significant financial consequences and other risks.
- Conduct regular vulnerability scanning. Routine scanning — both internal and external — should be a standard part of any cyber security programme otherwise critical weaknesses may go unidentified and unpatched.
