A UK water company has been fined nearly £1m ($1.4m) by the data protection regulator after a two-year-long incident resulted in the compromise of personal information on over 633,000 people.
South Staffordshire Water and parent company South Staffordshire PLC agreed to pay the Information Commissioner’s Office (ICO) a fine 40% lower than the original £1.6m ($2.2m) sum in return for not contesting the fine.
The incident itself began with a successful phishing email on September 11, 2020 which resulted in the installation of the Get2 downloader and the SDBbot remote access Trojan (RAT).
However, the network intrusion went undetected for nearly two years. On May 17, 2022 the threat actor began moving laterally through the water company’s network, using a domain administrator account and the remote desktop protocol to access 20 different endpoints between that date and August 4.
The breach was only discovered when IT performance issues – caused by “unscheduled database exports” – prompted an investigation on July 15, 2022. Nine days later the company reported a personal data breach to the regulator.
On July 26, the water company discovered a ransom note that the threat actor had unsuccessfully tried to send to some members of staff.
Read more on water company breaches: NCSC Urges UK Water Companies to Secure Control Systems.
The threat actor claimed to have stolen 4.1TB of data from South Staffordshire Water, amounting to 633,887 current and former customers and employees. That’s around a third (34%) of all the personal information held by the company, according to the ICO.
The stolen PII, which was dumped on the dark web, was highly sensitive, including:
- Personal details such as full name, physical and email address, date of birth, gender and telephone number
- Employee HR information including National Insurance numbers
- Customer account information, and bank account number and sort code
- Information relating to customers on the Priority Services Register, from which disabilities could be inferred
Multiple Security Failings
The company’s security posture was found wanting on several fronts:
- Limited controls (including a lack of least privilege policy enforcement) that enabled the attacker to escalate to administrator privileges
- Inadequate monitoring and logging, with just 5% of the IT environment being monitored
- Use of legacy unsupported software on some devices, including Windows Server 2003
- Inadequate vulnerability management, including unpatched critical systems and no regular internal or external security scans
Ian Hulme, ICO interim executive director for regulatory supervision, argued that water customers don’t have a choice as to which company they use, meaning providers must take data protection responsibilities seriously.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks. The ICO expects all organizations – and particularly those handling large volumes of personal information as part of critical national infrastructure – to have these in place,” he added.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra.”
Lessons Learned
The ICO published a lengthy write up of the case, which could be useful for security professionals working in this and other critical infrastructure sectors.
The regulator urged organizations to review their own resilience posture in light of the incident, and ask themselves the following:
- Are least privilege access controls in place?
- Are logging and monitoring controls providing sufficient coverage of the IT environment, and are alerts being acted upon?
- Are all systems patched and supported?
- Is vulnerability management part of regular operational practice, including both internal and external scanning?
