South Staffordshire Water, which supplies tap water to 1.6 million people across the English Midlands, has been fined nearly £1 million by the UK privacy regulator after a serious data breach. Hackers from the Cl0p ransomware group broke in through a malicious email attachment in September 2020 — and then went completely unnoticed for almost two years. The company only discovered the intrusion in July 2022 when IT systems started running slowly. By then, the attackers had already stolen 4.1 terabytes of data and published it on the dark web.
The stolen information included names, addresses, dates of birth, bank account numbers, sort codes, and National Insurance numbers belonging to 633,887 customers and employees. Some of those customers were on a disability priority register, meaning even more sensitive details were exposed. The regulator’s investigation found that the company had left two known security vulnerabilities unpatched since 2020, was still running Windows Server 2003 (a version Microsoft retired in 2015), and was actively monitoring less than 5% of its own computer network. The fine — £963,900 — came with a clear message: proactive security is a legal requirement, not optional.
How to check if you’re affected
Affected products include the online customer portal and billing accounts used by South Staffordshire Water customers. If you held an account between 2020 and 2022, your data may already be circulating online. Here is what to do:
- Check your bank statements for unfamiliar transactions, especially small test charges followed by larger withdrawals.
- Review your credit report at Experian, Equifax, or TransUnion for accounts or addresses you do not recognise.
- Search for your email in a breach database such as Have I Been Pwned (haveibeenpwned.com) using the address linked to your water account.
- Watch for convincing phishing messages — scammers buy leaked data to make fake texts and emails sound real, using your actual name and address.