UK fines water provider $1.3M for exposing information of 664k consumers

The Data Commissioner’s Place of business has fined South Staffordshire Water Plc and mum or dad corporate South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that revealed the non-public information of 663,887 consumers and workers.

The corporate provides 330 million liters of ingesting water to one.6 million customers day by day and, in 2022, disclosed that it was once the objective of a cyberattack that disrupted its IT operations.

On the time, the corporate disregarded claims from the Cl0p ransomware gang, which claimed the assault (after to start with misidentifying their sufferer), however the leaked information samples seemed authentic.

The ICO’s investigation has now showed that the leaked information was once certainly original, belonging to South Staffordshire Water Plc, and likewise famous that the compromise had in fact began in September 2020.

“We’ve fined South Staffordshire Plc and South Staffordshire Water Plc (in combination South Staffordshire) £963,900 following a significant cyber assault that resulted within the non-public knowledge of 633,887 other folks being extracted and revealed at the darkish internet,” reads the ICO’s announcement.

“The assault, which can also be traced again to September 2020 however in large part came about between Might and July 2022, uncovered important screw ups within the corporate’s way to information safety and left consumers and workers inclined for almost two years.”

Consistent with the ICO, the breach happened thru a phishing assault that enabled the attackers to put in malware at the company’s methods. The malware remained undetected for 20 months.

Between Might and July 2022, the attacker escalated privileges throughout South Staffordshire Plc’s community and won area administrator get entry to.

The breach was once handiest found out in July 2022 after IT efficiency issues brought about an investigation.

The leaked information integrated complete names, bodily addresses, electronic mail addresses, telephone numbers, dates of beginning, buyer account credentials, checking account main points, and worker HR information akin to Nationwide Insurance coverage numbers.

The ICO has discovered more than one safety screw ups resulting in this information publicity incident, together with:

• Inadequate controls to stop privilege escalation
• Tracking lined handiest about 5% of the IT surroundings
• Use of out of date tool, akin to Home windows Server 2003
• Deficient vulnerability control and lacking safety patches
• Loss of common inside and exterior safety scans

Those screw ups represent a contravention of UK information coverage necessities, the regulator mentioned, which is why a fantastic was once imposed.

The preliminary quantity was once higher, however as a result of South Staffordshire admitted legal responsibility early, cooperated with the investigation, and agreed to settle with out enchantment, the ICO lowered the penalty through 40%.