Key takeaways from the South Staffordshire cyber-attack and nearly £1M fine: understanding the ICO’s approach to cyber security enforcement

On 7 May 2026, the Information Commissioner’s Office (ICO) imposed a fine of £963,900 on South Staffordshire Plc and South Staffordshire Water Plc (together, South Staffordshire). The fine followed a significant cyber-attack which began in September 2020 and led to the personal data of more than 600,000 people being published on the dark web. 

The penalty notice is particularly notable for organisations for two primary reasons. First, it gives a clear indication of the types of cyber security failings the ICO is likely to scrutinise following a cyber incident. Second, the notice provides a step-by-step account of how the ICO applies its data protection fining guidance to calculate fines, including the impact of voluntary settlement on the final penalty. 

Background

South Staffordshire is an integrated group whose regulated water business supplies water to approximately 1.6 million people. The breach came to light in July 2022 when South Staffordshire identified marked IT performance issues and anomalous activity. A subsequent investigation confirmed a cyber-attack involving the nefarious use of Cobalt Strike, a cyber-security penetration testing tool, and the presence of malicious code within South Staffordshire’s IT environment. The investigation found that the threat actor had first gained access through a phishing email in September 2020 and had then remained dormant for a prolonged period before moving laterally through South Staffordshire’s IT system in 2022.

South Staffordshire later identified approximately 4 TB of exfiltrated data published on the dark web, affecting over 600,000 UK data subjects, including customers, current employees and former employees. The published data included contact details, account information, bank account and sort code details, HR information, usernames and passwords, and a very small subset of special category data and data relating to vulnerable persons. 

What did the ICO conclude?

The ICO concluded that South Staffordshire infringed Article 5(1)(f) UK GDPR, which requires personal data to be kept secure against unauthorised access and disclosure, and Article 32(1) UK GDPR, which requires organisations to implement security measures appropriate to the relevant risk, because it failed to implement appropriate technical and organisational measures to protect the personal data in its IT environment. South Staffordshire admitted an infringement of Article 5(1)(f) UK GDPR. 

The ICO considered the failings to be negligent in character and identified four principal failings: 

1. As recommended by the National Cyber Security Centre (NCSC), South Staffordshire had not properly implemented the principle of least privilege, under which users and administrators should only have the minimum access rights needed to perform their roles, and Active Directory tiering, which is designed to keep highly privileged administrator accounts separate from lower-trust parts of the network. That meant the threat actor was able to move laterally through the IT system with limited resistance.
2. South Staffordshire failed to implement adequate security monitoring and logging. For example, in December 2021, only 5% of the IT environment was being monitored by the third-party security operations centre.
3. South Staffordshire had not migrated away from obsolete systems, including the long-obsolete Windows Server 2003, despite the risks associated with end-of-life software that no longer receives security updates.
4. The ICO found that vulnerability management was inadequate, with unpatched exposure to the ZeroLogon vulnerability, a serious Windows flaw that can allow an attacker to take control of a network domain. In addition, no internal or external vulnerability scans were carried out during the relevant period.

Taken together, these failings meant that South Staffordshire did not have an effective security framework in place to identify, prevent or respond to the attack.

The ICO’s penalty calculation process

The penalty notice goes into some detail on how the fine in this case was calculated by reference to the ICO’s data protection fining guidance. This serves as a useful guide as to how the ICO applies this guidance in practice, and how fines of this nature might be approached.   

As a general note, under Article 83(1) UK GDPR, any penalty imposed by the ICO must be effective, proportionate and dissuasive. 

The ICO started with the statutory maximum for the most serious infringement, namely the integrity and confidentiality principle in Article 5(1)(f) UK GDPR. The maximum fine for such an infringement is the higher of £17.5 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. Because South Staffordshire formed part of a group with consolidated turnover of approximately £385 million, the ICO concluded that the relevant maximum was the fixed cap of £17.5 million.  The ICO also decided to impose a single penalty because the data protection law infringements in the case arose from “the same or linked” processing operations. 

The ICO then assessed the seriousness of the case and placed the case in the medium seriousness category, selecting a starting point of 15% of the statutory maximum (i.e. £17.5m) for its fine calculation.  This assessment took into account factors such as the scale of the breach, the number of affected individuals, the publication of personal data on the dark web, the two-year duration of the infringements, the negligent nature of the failings, and the types of data involved, including payroll information and a small amount of special category data. The ICO noted that the publication of personal data on the dark web is assumed to be capable of giving rise to loss of control over personal data and a risk of harm to affected data subjects. 

 That figure was then adjusted downward further, applying an 85% turnover adjustment, to reflect the size of the organisation. 

From there, the ICO considered mitigating factors which included South Staffordshire’s cooperation with the investigation, its proactive admission of infringement, its reporting of the breach to the NCSC and other relevant bodies and the steps it took to mitigate harm to affected individuals. Taken together, these factors were seen to warrant a further 20% reduction in the fine. 

A further 10% discretionary reduction was then applied to ensure that the penalty remained effective, proportionate and a dissuasive response to the infringements.  Finally, because the matter settled at an early stage, the ICO applied a 40% settlement discount, producing the final, published penalty of £963,900. 

While some details in the notice were redacted presumably to protect commercially sensitive information, the decision nevertheless provides a practical illustration of how the ICO moves from statutory maximum to final penalty.

Key takeaways 

This decision provides a useful reference for the ICO’s expectations around baseline cyber security and compliance with Article 5(1)(f) and Article 32(1) UK GDPR. 

In particular, organisations should take note of the following:

• This incident originated from a phishing email that enabled initial access. Significant breaches can originate from routine phishing emails, reinforcing the need for strong user awareness alongside technical safeguards such as email filtering and multi-factor authentication.
• In line with NCSC guidance, users and administrators should have the minimum permissions and access necessary to perform their roles, and Active Directory tiering should be implemented to limit lateral movement in the event of a breach.
• Comprehensive security monitoring is essential. Monitoring of only part of your IT systems creates blind spots and increases the risk that malicious activity goes undetected for extended periods.
• Using obsolete systems creates significant risk. Running end-of-life operating systems invites threat actors to exploit known, unpatched vulnerabilities. The NCSC advises that once software becomes obsolete, it must be decommissioned.
• Robust vulnerability management is a baseline regulatory expectation, requiring regular vulnerability scanning combined with the timely patching of known issues to effectively identify and mitigate exploitable weaknesses.

Commentary

The ICO’s findings provides a clear indication of the standards the ICO now expects organisations to meet in practice in relation to cyber security resilience. While measures such as access controls, active monitoring, and the decommissioning of legacy systems are often categorised as ‘best practice’, the ICO increasingly view these established controls as the baseline for "appropriate" technical and organisational measures under the UK GDPR.

The ICO’s fine calculation is also worth noting. The published penalty was the product of a multi-stage assessment. The result is that the headline figure of £963,900 understates the ICO’s underlying assessment of the case, which was more than £1.6 million before settlement. For organisations seeking to understand their potential exposure, this assessment provides a helpful guide both in assessing exposure and in shaping response strategies following a cyber-attack.

For queries or advice on the content of this article, please contact Hamish Corner, Lucy Pegler, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Ruadhán Ó Gráda and Amanda Leiu.