Regulator says basic security failings exposed personal data of 633,887 people
The Information Commissioner’s Office has penalised a water company nearly £1m after a cyber attack exposed the data of 633,887 people. For solicitors, the ruling sets a clear benchmark on the security failings that draw enforcement.
The ICO has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a Cl0p ransomware attack leaked the personal data of 633,887 customers and staff onto the dark web. The regulator found basic security controls were missing for nearly two years. The same legal test Articles 5(1)(f) and 32 UK GDPR was used to fine a law firm last year, making this a live risk for the profession.
The Information Commissioner’s Office (ICO) has fined South Staffordshire Plc and its subsidiary South Staffordshire Water Plc a combined £963,900 following a serious cyber attack that exposed significant weaknesses in the company’s data security. The penalty was confirmed in mid-May 2026.
According to the regulator, the breach can be traced back to September 2020, when an employee opened a malicious email attachment. The software it installed and sat undetected on the network for around 20 months. In May 2022, the attacker moved laterally through the systems and seized domain administrator privileges, the highest level of access available. The intrusion was only spotted that July, after IT performance problems triggered an internal investigation.
By then, the damage was done. Between August and November 2022, the company discovered that more than 4.1 terabytes of data had been published on the dark web by the Cl0p ransomware group. The information related to 633,887 people and included names, addresses, dates of birth, bank account details, and, for some, data from which disabilities could be inferred. Employees’ National Insurance numbers were also among the leaked files.
What the ICO found wrong
The ICO concluded that South Staffordshire had failed to put in place appropriate technical and organisational measures, as required under UK data protection law. Its specific criticisms were strikingly ordinary: limited internal controls that let the attacker escalate privileges, inadequate monitoring and logging, and the use of obsolete, unsupported software. The regulator noted that only a small fraction of the company’s IT environment was being actively monitored.
“The steps that South Staffordshire failed to take are established, widely understood, and effective controls to protect computer networks.” Ian Hulme, interim executive director for regulatory supervision, ICO
The company made an early admission of liability and agreed to pay without appeal. In recognition of the efficiencies that were brought to the investigation, the ICO applied a 40% reduction, arriving at the final £963,900 figure through a voluntary settlement.
Why this matters for solicitors
It would be easy to file this as a utilities story. It is not. The ICO acted under Articles 5(1)(f) and 32 of the UK GDPR the exact provisions it relied on in April 2025 to fine the Merseyside law firm DPP Law £60,000, after a ransomware attack put highly sensitive client information, including material relating to criminal allegations, onto the dark web.
The pattern in both cases is identical: a foothold gained through weak access controls, a high-privilege account left exposed, thin monitoring, and a delay in grasping the scale of the loss. Law firms hold exactly the kind of special-category and legally privileged data that makes a breach most damaging and the regulator has now shown, twice, that it will treat preventable security failures as enforcement matters rather than misfortunes.
The exposure does not end with the ICO. Claimant firms are already circling: in the South Staffordshire matter, one practice is reported to be acting for thousands of affected individuals seeking compensation for distress and financial loss. A breach can therefore become both a regulatory penalty and a group claim.
Key implications for firms
- Audit privileged accounts. Legacy and service administrator accounts with unrestricted access are a recurring failure point in both rulings.
- Monitor and log properly. The ICO repeatedly faults organisations that cannot see attackers moving inside their own networks.
- Retire obsolete software. Unsupported systems featured in the South Staffordshire findings and remain an enforcement red flag.
- Report within 72 hours. Slow breach reporting was treated as an aggravating factor in the DPP Law case.
- Expect civil claims to follow. Regulatory fines and group compensation actions increasingly travel together.
The SRA continues to recommend Cyber Essentials Plus as a recognised benchmark for managing cyber risk in legal practice. For compliance leads, the South Staffordshire ruling is a useful, concrete prompt: the controls the ICO expects are neither exotic nor expensive and their absence is now demonstrably costly.