Cyber Failures Cost Water Firm Nearly £1m

If it isn’t sewage that water firms are leaking into rivers, then it’s your data that they are leaking to hackers. The ICO has fined South Staffordshire Water £963,900 for leaking the data of 633,000 people. The company submitted its case for mitigation and said it will not appeal against the fine.  As a result, the initial fine was reduced by 40% with the ICO saying this was, “in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.”

That will be of little comfort to the customers of South Staffordshire Water. The company increased bills by just 2% for water-only customers, one of the lowest in the country. Rather than fine the company, the ICO should have required it to refund customers their bill increase for this year.

Ian Hulme, ICO Interim Executive Director for Regulatory Supervision, ICO, said, “Customers do not have the choice over which water company serves them — they are required to share their personal information and place their trust in that provider. It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.

“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organisations — and particularly those handling large volumes of personal information as part of critical national infrastructure — to have these in place. 

“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”

How did this happen?

The attack started with a single phishing email that persuaded an employee to open an attachment. It led to malware being installed that then sat undetected for 20 months. Attackers used this time to move through the network and eventually gain domain administrator privileges. This gave them the highest level of control over the IT systems.

IT only realised there was a problem when performance dropped. It started an internal investigation on 15 July 2022 and reported the breach to the ICO. Too little, too late. 4.1 terabytes of data had already been published on the dark web.

The investigation revealed basic security gaps, including the fact that the firm was monitoring just 5% of its IT environment. That’s an incredibly low figure that will raise concerns over policy, tools and processes. Compounding the problem was the age of many software assets.

For example, some systems ran on Windows Server 2003. Microsoft ceased providing updates, including for security, in June 2010. Customers who took out an extended support agreement received limited updates up to July 2015. It means that for years, nobody knew what the security state of the systems was.

The company has not given any reason for this lack of security control or why it was so unprepared for an attack. It has also not provided any details on what it will cost to replace systems and get a full company-wide security verification. The company doesn’t even have Cyber Essentials certification. As Critical National Infrastructure (CNI), this is shocking.

Who runs the IT function?

The last accounts for South Staffordshire Water were published in March 2025. In it, the company talks about Echo Managed Services, a wholly owned unit. It is described as a “specialist in multi-channel customer contact services and Salesforce-native water billing software.”

When it rebranded in 2025, it combined its water billing software brand, Aptumo, under the Echo brand. This, the company claims, was to deliver a seamless brand experience. With customers in the UK, Australia and the USA, this makes sense.

Echo India Managed Services is a wholly owned offshore operation that manages projects for Echo’s customers. It also supports IT in delivering projects for the whole of South Staffordshire Water. Interestingly, the company says that it has recently moved to the ISO27001:2022 standard. That implies it was already ISO27001 certified, which raises questions as to how it didn’t detect the breach earlier.

Enterprise Times: What does this mean?

This is a poor look for South Staffordshire Water and will worry customers, both domestic and commercial. From an IT perspective, it’s hard to understand how any CNI can have so little understanding of its environment. Resilience, observability, security – these are not just buzzwords for security. And for a regulated industry, it is surprising that the fine, even before discount, was so low.

Beyond the basic fine, the reputational damage, especially to Echo, will be interesting to watch. There will also be significant operational costs this year as the company looks for better control of its infrastructure. Regulators will also be paying it closer attention from the ICO to Ofwat. Audits are likely to be more stringent, and the National Cyber Security Centre is already providing its advice.

Beyond that, there will need to be an overhaul of security controls. First, do access controls limit users to only what they need? Second, does monitoring cover the entire IT environment? Third, are all systems patched and free of legacy software? Fourth, is vulnerability management part of daily operations?

The ICO has published guidance on ransomware protection. The National Cyber Security Centre also offers a Cyber Action Toolkit for smaller firms.

The post Cyber Failures Cost Water Firm Nearly £1m appeared first on Enterprise Times.