The UK's Information Commissioner's Office has fined South Staffordshire Water Plc and its parent company £963,900 ($1.3M) following a 2022 cyberattack that exposed personal data of 663,887 customers and employees. The breach originated from a phishing attack in September 2020, with malware remaining undetected for 20 months before discovery in July 2022. The Cl0p ransomware gang was responsible. ICO investigators found multiple security failures including insufficient privilege escalation controls, monitoring covering only 5% of the IT environment, use of obsolete software like Windows Server 2003, and poor patch management. The fine was reduced 40% due to early admission of liability and cooperation with the investigation.
Table of contents
Related Articles:Sort: