Why the ICO’s crackdown on South Staffordshire water is a warning to all
In September 2020, a South Staffordshire Water employee opened a phishing email. The attachment installed malware on the company's network, and when almost two years later, in September 2022, IT engineers spotted unusual performance issues, an attacker had already spent months moving through the network, gaining administrator access, and stealing 4.1 terabytes of data. This data included personal details of over 600,000 customers and employees, bank account details, National Insurance numbers, and disability information, which were later published on the dark web.
The Information Commissioner's investigation found no exotic vulnerabilities or sophisticated attacks behind the breach. Rather, it found that only 5 percent of the company's IT environment was being monitored, that controls were insufficient to stop an attacker from gaining admin rights once inside, and that the network was running severely outdated systems.
The ICO pointed out that “The steps that South Staffordshire Water failed to take are established, widely understood and effective controls to protect computer networks.”
What is most alarming is that the missing controls the ICO has called out are basic.
In 2026, with the arrival of sophisticated AI tools that can find and exploit vulnerabilities at rapid speed, companies should have robust user access management solutions in place, moving beyond username/password combinations and towards multi-factor or passphrases. Unsupported systems, like Windows Server 2003 in the SSW case, need to be updated or, especially in industrial environments, tightly air-gapped. And companies need to realise that security also needs to be able to detect attacks and respond to them quickly and decisively. Being able to monitor 5% of systems simply isn’t good enough.
For personal data specifically, the GDPR requires boards to be able to demonstrate accountability, meaning they need to be able to show how they have ensured their cyber defences are appropriate. This is not just important for compliance with legislation like GDPR, but may also be relevant for meeting client and cyber-insurance requirements.
For cyber security, business continuity, and resilience in general, we must opt for a ‘test don’t trust’ approach:
Can your systems hold up under a sophisticated penetration test? Do your backups work? Can your identity infrastructure be compromised? Do your incident processes work – and are they purely IT-centric or do they bring in the wider business? Do you have a defined ‘minimum viable company’ fall-back level that would reliably allow you to keep operating in a crisis?
Boards should be able to answer those questions easily and confidently answer.
A call to action for the boardroom
The South Staffordshire Water fine should be a catalyst for a change in tone at the board level. When we conduct analyses of critical business processes and their required resources, IT is almost always at or very near the top. We need to robustly protect these critical assets. Companies should:
- Implement strong controls, based on standards. Cyber Essentials Plus, ISO 27001, or the NCSC’s cyber action toolkit for smaller companies, are excellent standards to align to. Even if an organisation isn’t certified, being able to evidence alignment to an established standard goes a long way.
- Ensure that efforts don’t focus solely on protecting against cyber-attacks but also take into account the ability to reliably detect cyber attacks and the processes to deal with them when they happen.
- Develop a robust testing and exercising regime to ensure your defences and plans are as good as they can be. Additionally, evidence of testing and exercises shows accountability.
- Recognise that building a cyber-resilient organisation also means understanding that IT can fail and planning for keeping operations going regardless. A major cyber crisis is not just won in IT but also in the board room through clear directions, communication, priorisation of efforts, and structured decision making.
.jpg)
.jpg)
