The U.K.’s Information Commissioner’s Office (ICO) fined South Staffordshire Water PLC and its parent company, South Staffordshire Plc, £964,900 following a 2022 Cl0p ransomware attack that exposed the personal data of over 633,000 customers and employees. The regulator said the operator failed to implement appropriate security measures before attackers gained access to sensitive customer information, some of which was later published on the dark web.
The ICO noted the penalty reflected a voluntary settlement and included a 40% reduction due to improvements made after the breach, cooperation with regulators, and support provided to affected customers.
The cyberattack disrupted the utility provider’s corporate IT systems. It became one of the U.K. water sector’s highest-profile ransomware incidents after the Cl0p gang initially misidentified the victim as Thames Water. The ICO said the case underscores growing regulatory scrutiny on critical infrastructure operators over cyber resilience and data protection obligations, particularly as ransomware groups increasingly target utilities and essential services. South Staffordshire Water had previously…
