Fine Of Nearly £1m By ICO Against South Staffordshire: Key Takeaways For Organisations

The Information Commissioner’s Office (ICO) issued a monetary penalty of £963,900 against South Staffordshire Plc and South Staffordshire Water Plc following a significant cyber attack that resulted in the personal data of over 633,000 individuals being compromised and published on the dark web.

The decision provides a useful indication of the ICO’s expectations and current enforcement approach to cyber security under the UK GDPR. In particular, the ICO found infringements of both Article 5(1)(f) (integrity and confidentiality principle) and Article 32(1) (security of processing), reinforcing that failures in cyber security controls can amount to breaches of core data protection principles.

Key takeaways:

1. “Best practice” cyber controls are now the legal baseline

The ICO’s findings focus on failings in well-established, fundamental security measures rather than novel or sophisticated issues. Controls often described as “best practice” (e.g. monitoring, access controls, patching) are now treated as minimum expectations of “appropriate” technical and organisational measures for compliance with Article 32(1). In this case, the ICO identified multiple foundational deficiencies, including:

• Inadequate monitoring and logging - only c.5% of the IT environment was actively monitored;
• Failure to enforce least privilege access;
• Use of outdated or unsupported software on parts of the network; and
• Insufficient vulnerability management and patching processes.

2. Prolonged undetected access and data exfiltration increase severity

The attacker remained undetected within the organisation’s systems for approximately 20 months, during which time they moved laterally and exfiltrated over 4TB of data. The ICO placed significant weight on this extended dwell time, indicating that cases involving both prolonged unauthorised access and substantial data loss will be treated as particularly serious.

3. Phishing remains a foreseeable and preventable entry point

The attack originated from a single successful phishing email, which enabled the installation of malicious software. This reinforces the ICO’s expectation that organisations implement both technical and organisational controls to mitigate phishing risk (e.g. user training, email filtering and access restrictions).

4. Scale and sensitivity of data materially increase enforcement risk

The breach affected over 633,000 individuals and included financial and HR data, as well as information from which special category data could be inferred. Organisations processing large volumes of sensitive personal data should expect closer regulatory scrutiny and greater exposure in the event of a breach.

5. Organisations delivering essential services face heightened scrutiny when customers have limited choice

The ICO emphasised that customers often have no choice but to entrust their personal data to providers such as water companies, which must honour that trust by taking their data protection responsibilities seriously. The ICO expects all organisations to have established, widely understood and effective controls to protect computer networks in place, and will scrutinise this particularly closely where organisations handle large volumes of personal information as part of critical national infrastructure.

6. The ICO is providing greater transparency on its fining approach

The decision clearly illustrates how the ICO applies its penalty framework, moving from the statutory maximum (£17.5 million in this case) to a final penalty by setting a seriousness-based starting point (15%) and applying successive reductions for turnover, mitigating factors and settlement, resulting in a £963,900 fine. This provides useful guidance for organisations assessing potential financial exposure.

7. Early cooperation and settlement reduce financial penalties

The ICO gave significant weight to cooperation, remediation and early admission of liability, applying a substantial settlement discount - reinforcing that early engagement can have a material impact on financial outcomes.