Back to Knowledge Vault

How 4.1TB of breached data cost South Staffordshire Water £963,900

The ICO has fined South Staffordshire Water £963,900 after a phishing email went undetected for 20 months, leading to 4.1 TB of personal data appearing on the dark web. Why physical disconnection breaks this chain.

The Information Commissioner's Office has fined South Staffordshire Plc and South Staffordshire Water Plc a combined £963,900 after a cyber attack exposed the personal information of 633,887 customers and employees on the dark web. The case is one of the clearest recent examples of why a connected, software defended estate is not enough to protect regulated personal data, and why an offline copy of the data of record has become a baseline expectation for critical national infrastructure.

The ICO announced the penalty on 11 May 2026, following a voluntary settlement in which South Staffordshire admitted the infringement and agreed to pay the reduced fine without appeal. A forty per cent reduction was applied in recognition of the early admission.

How the breach unfolded

The intrusion can be traced back to September 2020, when a member of staff opened an attachment delivered by a phishing email. That single click installed malicious software that remained undetected inside the network for twenty months. In May 2022 the attacker moved laterally and obtained domain administrator privileges, the highest level of access available on the corporate IT estate.

The breach was only identified when IT performance issues prompted an internal investigation on 15 July 2022. South Staffordshire reported the personal data breach to the ICO on 24 July 2022. Two days later, on 26 July, staff discovered a ransom note that the attacker had attempted to distribute internally. Between August and November 2022, more than 4.1 terabytes of data appeared on the dark web.

Who was affected

At the time of the attack South Staffordshire held personal information relating to approximately 1.85 million customers, around 750,000 of them current and 1.1 million former, as well as 2,791 current employees and at least 2,298 former employees.

The 633,887 records subsequently published on the dark web in August 2022 included full names, physical addresses, email addresses, dates of birth, gender and telephone numbers. For employees the leaked data included HR information and National Insurance numbers. For customers the leaked data included account information, usernames and passwords for the South Staffordshire Water online services, bank account numbers and sort codes. For a small percentage of customers on the Priority Services Register, the leaked information was sufficient to allow disabilities to be inferred.

What the ICO found

The ICO concluded that South Staffordshire had failed to implement appropriate security controls under UK data protection law. The findings included:

• Limited controls that allowed the attacker to escalate to administrator privileges after gaining an initial foothold on the network.
• Inadequate monitoring and logging. Only five per cent of the IT environment was being monitored, meaning malicious activity was not detected for the full twenty months.
• Use of obsolete and unsupported software on some devices, including Windows Server 2003.
• Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.

Ian Hulme, the ICO's Interim Executive Director for Regulatory Supervision, set out the regulator's expectation in plain terms.

"Customers do not have the choice over which water company serves them. They are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously. The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations, and particularly those handling large volumes of personal information as part of critical national infrastructure, to have these in place. Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra."

Where Offline Secure Storage changes the outcome

Mark Fermor, founder of Firevault, has been consistent on this point. If data is reachable, it is exposed. The South Staffordshire case is a textbook demonstration of how that reachability compounds at every stage of an attack.

Phishing only succeeds because the data is reachable from the user estate. A phishing email that drops malware onto an office workstation is only useful to an attacker if that workstation, or anything it can reach, holds something worth stealing. Offline Secure Storage holds the gold copy of regulated personal data on dedicated hardware with no network interface present in its default state. A phished workstation cannot reach what is not on the network.

Twenty months of dwell time only matters because the network is always on. Dwell time is the gap between intrusion and detection. Attackers use it to map the estate, escalate privileges and stage exfiltration. An offline, identity locked vault has nothing to map and nothing to pivot into. There is no IP address to scan, no port to probe and no service to enumerate.

4.1 terabytes cannot leave a vault that has no outbound path. Exfiltration at that scale requires a sustained network route from the storage to the open internet. Physical disconnection at Layer 1 removes that route entirely. The vault is not on the same network as the attacker, and it cannot be brought onto that network by remote command.

Domain administrator compromise is irrelevant to a vault that is not on the domain. The most damaging moment in the South Staffordshire timeline was the escalation to domain admin in May 2022. A vault that is not joined to the corporate domain, has no Active Directory trust and accepts no remote administration is not affected by that escalation. Identity locked access through KYC, AML and multi factor authentication binds connection to a verified human action, not to a credential that an attacker can steal or replay.

Customer PII and employee HR data are exactly the workload Offline Secure Storage is designed for. Names, addresses, dates of birth, National Insurance numbers, bank details and Priority Services Register flags do not need to sit on a frequently accessed, internet adjacent system. They need to be kept, kept accurately and kept private. That is the workload profile that Firevault Bunkers exist to serve.

Mapping to the regulatory expectation

Mr Hulme's statement is unambiguous. Proactive security is a legal requirement. For operators of critical national infrastructure that expectation already lives inside the NIS Regulations, the incoming NIS2 transposition obligations for in scope operators, the NCSC Cyber Assessment Framework and the Cyber Essentials baseline. Each of those frameworks treats the ability to preserve, isolate and restore a clean copy of essential data as a core control, not an optional one.

The 3-2-1-0 principle remains the cleanest shorthand. Three copies of the data, on two different media, with at least one copy held offsite, and zero errors at restore. The "one offsite" line is increasingly read by regulators and insurers as "one offline". Offline Secure Storage is how Firevault delivers that final, isolated copy in Firevault Bunkers, with identity locked access and physical disconnection between sessions.

What CNI operators should do now

The ICO has set out four questions that every operator should be able to answer in the affirmative. They are worth restating, with one addition.

1. Are controls in place so that users and systems can only access what they genuinely need?
2. Are logging and monitoring controls in place providing sufficient coverage of the IT environment, and are alerts being acted upon?
3. Are all systems patched and supported? Legacy or end of life software represents a significant and avoidable risk.
4. Is vulnerability management part of regular operational practice, including both internal and external scanning?
5. Is at least one copy of your regulated personal data held on Offline Secure Storage, physically disconnected from the network, so that a successful intrusion of the connected estate cannot extract, encrypt or publish it?

The fifth question is the one that turns a breach into a contained incident rather than a 4.1 terabyte dark web disclosure.

The Firevault position

Software defences are necessary. They are not, on their own, sufficient. The South Staffordshire case shows what happens when a connected estate is breached and the data of record sits inside that connected estate. Firevault exists to take that data out of reach, by design, and to hold it on dedicated hardware in carefully selected colocation bunkers with identity locked access.

If you operate critical national infrastructure, or hold large volumes of personal information on behalf of customers who have no choice but to trust you, the case for an offline copy is no longer a debate about cost. It is a question of regulatory exposure, customer harm and the reputational cost of a ransom note arriving before your monitoring does.

Learn more about Offline Secure Storage for critical national infrastructure, read what Offline Secure Storage actually is, see how Firevault aligns with UK and international compliance frameworks, or read about complete control by design.

Share this article