Hackers Hid Inside Major UK Water Utility for Nearly 2 Years

Fraud Management & Cybercrime , Geo Focus: The United Kingdom , Geo-Specific Hackers Hid Inside Major UK Water Utility for Nearly 2 Years ICO Warns Key Security Gaps Led to Exposed Data of Over 630,000 People Chris Riotta (@chrisriotta) • May 11, 2026     Credit Eligible Get Permission Image: Roger Kidd / CC BY-SA 2.0 A British privacy regulator fined a major water supplier nearly $1.3 million after finding the utility left longstanding security gaps unaddressed across its corporate network, allowing a ransomware intrusion to expose personal information affecting more than 633,000 customers, employees and contractors. See Also: Demostración Del Producto: Backup Y Recuperación De VM The U.K. Information Commissioner's Office said Monday it fined South Staffordshire Water and parent company, South Staffordshire, 963,900 pounds following an investigation into a 2022 cyberattack that compromised names, dates of birth, contact information, payment details, online account credentials and limited health-related information. The penalty notice links the breach to a September 2020 phishing attack that installed malware inside the company's corporate network. "Customers do not have the choice over which water company serves them," said Ian Hulme, ICO interim executive director for regulatory supervision. "They are required to share their personal information and place their trust in that provider." The utility "failed to take established, widely understood and effective controls to protect computer networks," he said. "Waiting for performance issues or a ransom note to discover a breach is not acceptable." The intrusion went undetected for 20 months until July 2022, after performance issues triggered an internal investigation. Forensic examiners later discovered attackers had attempted to deploy ransomware across the environment. The ICO said South Staffordshire failed to implement established cybersecurity controls despite operating within one of the U.K.'s critical infrastructure sectors (see: No Pressure: Water Utility Drips Alert 4 Months After Breach). The fine comes amid concerns among Western cyber agencies that critical infrastructure systems are exposed to ransomware and nation-state hackers alike. The regulator said attackers accessed and exfiltrated personal information belonging to 633,887 current and former customers, employees and contractors before portions of the stolen data were later published online. According to the ICO's monetary penalty notice, investigators identified failures across multiple parts of the utility's security environment, including insufficient monitoring coverage, weak privileged access management, unsupported legacy systems and inadequate vulnerability management practices. The notice said attackers maintained unauthorized access within the network for an extended period after the initial phishing compromise, moving laterally between systems and harvesting credentials before the ransomware deployment attempt in 2022. Even a year after the incident, only a small percentage of South Staffordshire's network was covered by centralized security monitoring, according to the regulator. Investigators also found that the company lacked evidence showing vulnerability scans had been consistently performed across the network during key periods tied to the intrusion. The ICO said several systems contained known vulnerabilities years after patches became available. Two domain controllers remained vulnerable to ZeroLogon, a critical privilege escalation flaw disclosed in 2020 (see: Microsoft Issues Updated Patching Directions for 'Zerologon'). The regulator also found portions of the environment operated on unsupported software, including Windows Server 2003 systems that don't receive security updates from Microsoft. The ICO notice does not indicate attackers compromised operational technology or water treatment systems directly. South Staffordshire Water previously said the incident affected corporate IT systems but did not disrupt water quality or operational delivery services. Public reporting linked the extortion and data publication phase of the incident to the Cl0p ransomware operation. The ICO notice itself does not name the group or establish whether Cl0p conducted the initial phishing intrusion, obtained access from another actor or became involved later in the attack lifecycle. The ICO said South Staffordshire has since implemented additional security improvements, including stronger monitoring capabilities, enhanced access controls and broader remediation measures following the breach.