Data Protection Network
CONTACT US
NEWSLETTER

ICO fines water company just shy of a million

Philippa Donn
May 2026

What all organisations can learn from cyber-attack fines

The significant risk posed by insufficient security measures is laid bare, as the ICO issues a £963,900 fine to a UK water company following a cyber-attack. More than 600,000 people were affected with their personal details exfiltrated and published on the dark web.

The case highlights the danger of phishing attacks and the crucial need to implement regular system monitoring and thorough security scans. Initial access to the water company’s systems went undetected for two years.

South Staffordshire PLC and South Staffordshire Water PLC (together South Staffordshire) admitted their infringement of the law and agreed to a reduced fine without appeal. This approach was introduced with the aim of bringing enforcement action to a speedier conclusion and offers a potential discount of up to 40% on fines where organisations accept liability and waive their right to appeal.

What went wrong?

Back in 2020 the recipient of a phishing email opened an attachment. The attacker was then able to install malicious software. Around 18 months later the hacker moved through the company’s network and compromised administrator privileges. Only after subsequent IT issues emerged was an internal investigation launched, which finally unearthed the attack, along with ransom notes the hacker had unsuccessfully tried to distribute.

South Staffordshire established that between August and November 2022, 4.1 terabytes of data relating to customers, employees and former employees had been published on the dark web. This included details such as; contact details, date of birth, National Insurance numbers, usernames and passwords and financial details.

Key failures

The ICO investigation identifies the following core failures:

  • Limited controls meant the attacker could escalate to administrator level privileges after the successful phishing attack
  • Inadequate monitoring and logging
  • Use of obsolete, unsupported software on some devices
  • Inadequate vulnerability management, including unpatched critical systems and the absence of regular internal or external security scans.

You can read more from the ICO here

What other cyber-attack fines tell us

While ICO fines are not commonplace, enforcement action during 2025 reveals a similar pattern of organisations failing to put robust enough security measures in place.

Capita – £14 million fine

Capita suffered a cyber-attack in 2023 which affected the personal data of 6.6 million people. The attack began when an employee unintentionally downloaded a malicious file giving hackers access to the company’s systems. Despite this triggering a security alert, Capita were too slow to react and allowed the hackers time to move laterally and exfiltrate data. Key failings include:

  • Failure to prevent privilege escalation and unauthorised lateral movement
  • Failure to remedy known vulnerabilities
  • Failure to respond appropriately to security alerts due to understaffing
  • Inadequate penetration testing and risk assessment

Advance – £3 million fine

As a company providing IT and software services to organisations, including the NHS, this was notable as the first UK GDPR fine to a processor and serves as a stark reminder of supply-chain risks. Hackers managed to access a subsidiary’s system, which critically didn’t have Multi-Factor Authentication (MFA). Other failures included:

  • A lack of mature vulnerability management scanning mechanisms
  • Inadequate security patch management

The fall-out was significant putting the personal information of nearly 80,000 people at risk. The attack caused massive disruption to critical NHS services and healthcare staff were left unable to access patient records.

DPP law firm – £60k fine

This case is notable, as it shows not only big organisations can face enforcement action. DPP is relatively small but like many law firms handles sensitive data. Hackers exploited a user account which didn’t have MFA and were able to move laterally across the firm’s systems. The attack led to highly sensitive personal data being published on the dark web.

12 key steps to mitigate cyber risks

Despite the increased frequency of cyber-attacks, the ICO doesn’t issue very many fines. And, a regulatory fine remains just one of a multitude of potential impacts of a successful attack. Investigations can be costly and time-consuming, as can necessary remedial actions, then there’s the negative impact on affected individuals, the erosion of trust leading to reputational damage, and so on.

Here are some measures which can help prevent or minimise the risk of a cyber-attack and data breach. These are not in any priority order, all are important.

1. Know your systems, devices and data so you know what you need to protect.

2. Restrict user access to data and services by applying the ‘Principle of Least Privilege’ (PoLP) across all systems holding personal, sensitive and confidential data. Employees (and other workers) should only have the minimum access rights needed to perform their specific role. Apply even stricter controls for system administrators.

3. Choose secure settings for network, devices and software – use MFA wherever possible.

4. Use anti-virus and security software to prevent malware.

5. Protect against vulnerabilities with routine patching and updates. Address known vulnerabilities quickly.

6. Implement routine penetration tests.

7. Monitor for unusual behaviour and keep logs. React rapidly to any alerts.

8. Implement measures to make it more difficult for phishing attacks to reach your users and raise awareness so users can identify and report suspecting phishing messages. See NCSC Phishing Guidance.

9. Encrypt data in transit and at rest.

10. Assess and manage supply chain security risks.

11. Back up your data and make sure back-ups can be recovered quickly, e.g. in the event of a ransomware attack

12. When all else fails, be sure to have a robust incident procedure so you can swiftly and effectively investigate a breach and keep appropriate records.

Where to get more help?

Hindsight is a wonderful thing, and when reading the failings of others, it’s easy to see what measures should have been in place. In reality, it’s not easy and can be complex to manage. However, there’s plenty of helpful advice and resources published by the NCSC. We’d highly recommend smaller organisations are Cyber Essentials certified. It’s also worth checking out the ICO ransomware guidance.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

Cyber Bill and the implications for UK business

How new legislation aims to protect the UK from cyber attacks by targeting more businesses critical to the national infrastructure

Combatting the cyber threat

UK organisations are being warned of a significant and growing cyber threat - what action can small-to-medium sized business take?

Key takeaways from Capita’s £14 million ICO fine

Key findings and five takeaways from the £14 million ICO fine issued to Capita following a cyber attack in 2023

ICO fines software company £3millon after cyber-attack

In a UK first, the ICO has fined a processor for failing to implement appropriate measures under UK GDPR. What can we learn from this case?
Data Protection Network