United Kingdom
South Staffordshire Plc
GDPR enforcement action by Information Commissioner (ICO) on 2026-05-07.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2026-05-07
- Controller / Processor
- South Staffordshire Plc
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 (1) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA has imposed a fine of £963,900 (EUR 1,1121,00) on South Staffordshire Plc and South Staffordshire Water Plc. The controller suffered a significant cyber attack that went undetected for 20 months. This attack was the result of a successful phishing attack, through which the attacker installed malicious software in the controller's IT system. Twenty months later, the attacker gained domain administrator rights and downloaded data. This resulted in the attacker publishing 4.1 TB of data on the dark web, affecting 633,887 data subjects. The attack was only discovered when the controller noted performance issues in its IT system. The controller failed to implement adequate control routines, monitoring and logging protocols (only 5% of the controller's IT system was monitored), adequate software on some devices, and adequate vulnerability management. The controller admitted liability and voluntarily cooperated with the DPA, resulting in the fine being reduced by 40% compared to the amount the DPA had planned to impose.
Related fines