UK Water Company Fined After Hackers Lurked Undetected for Nearly Two Years

What happened

The UK’s Information Commissioner’s Office fined South Staffordshire Water £963,900 on Monday after finding the company failed to detect hackers hidden inside its network for nearly two years, allowing the Cl0p ransomware group to ultimately publish the personal data of 633,887 customers and employees in August 2022.

Initial access occurred in September 2020 when an employee opened a malicious email attachment. The attacker remained undetected until May 2022, when it began moving laterally across systems using a domain administrator account. The company did not identify the intrusion until July 2022, when IT performance issues prompted an internal investigation. Two weeks later, a ransom note was discovered that the attacker had unsuccessfully attempted to distribute to staff. The published data included names, addresses, dates of birth, bank account numbers, sort codes, National Insurance numbers, and for a subset of customers on the Priority Services Register, information from which disabilities could be inferred.

The ICO identified four specific security failures. As of December 2021, more than a year after the attacker first gained access, an outsourced security operations center was monitoring just 5% of the company’s IT environment, with endpoint telemetry and logging not integrated into the security monitoring platform. No internal or external vulnerability scans were conducted between September 2020 and May 2022. Two domain controllers remained unpatched against ZeroLogon, a critical privilege escalation vulnerability published in August 2020, which the attacker successfully exploited. Some devices were still running Windows Server 2003, whose extended support ended in July 2015. The principle of least privilege had not been implemented, allowing the attacker to move freely using a domain administrator account.

South Staffordshire entered a voluntary settlement securing a 40% discount on the fine and has agreed not to appeal. The UK government’s Cyber Security and Resilience Bill, expected to expand mandatory reporting requirements for critical infrastructure operators, is anticipated to be introduced to Parliament this year.

Who is affected

633,887 South Staffordshire Water customers and employees had personal and financial data published on the dark web. The broader UK water sector faces increasing scrutiny, with five cyber incidents reported to the Drinking Water Inspectorate between January 2024 and October 2025, a record for any two-year period.

Why CISOs should care

The ICO’s findings read as a checklist of foundational security failures: no vulnerability scanning for nearly two years, a critical unpatched privilege escalation vulnerability actively exploited, legacy operating systems a decade past end of support, and a security operations center monitoring less than 5% of the environment. The attacker had 21 months of undetected access before performance degradation prompted anyone to look.

The ICO’s statement that waiting for performance issues or a ransom note to discover a breach is not acceptable signals that regulators are moving toward an expectation of proactive detection capability rather than accepting reactive discovery as compliant behavior. That posture shift has direct implications for how critical infrastructure operators will be assessed under incoming legislation.

3 practical actions

Implement continuous vulnerability scanning and ensure critical patches are applied within defined SLA windows: ZeroLogon was published in August 2020 and exploited in this incident. Two domain controllers remained unpatched throughout the nearly two-year intrusion. Establish automated scanning cadences and patching SLAs with escalation procedures for critical vulnerabilities on systems with domain-level access.

Audit the coverage scope of your security operations center and integrate endpoint telemetry across the full environment: Monitoring 5% of an IT environment leaves 95% of the attack surface invisible to detection. Review your SOC’s coverage against your full asset inventory, prioritize integration of endpoint telemetry and logging from all systems, and define a coverage target with a documented roadmap to achieve it.

Apply least privilege across all domain accounts and eliminate unnecessary domain administrator access: The attacker’s ability to move freely using a domain administrator account was a direct consequence of failing to implement least privilege. Audit all accounts with elevated domain privileges, reduce them to the minimum required for operational purposes, and implement Privileged Access Management controls that limit when and where domain administrator credentials can be used.