South Staffordshire PLC, the parent company of South Staffordshire Water, discovered in July 2022 that it had suffered a significant cyber-attack. When the incident was first announced in August 2022, it was reported that cybercriminals had accessed the personal data of current and former employees. Subsequent investigations later confirmed that customer information had also been compromised.
In May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 following its investigation into the breach. The ICO found that the company had failed to implement appropriate cybersecurity measures, allowing attackers to remain undetected within its systems for nearly two years. The ICO also confirmed that South Staffordshire made an early admission of liability and agreed to a voluntary settlement without appeal.
The ICO stated that the breach resulted in the personal data of approximately 633,887 individuals being exposed and later published on the dark web. The compromised information is understood to have included:
- Customer names
- Customer addresses
- Email addresses
- Dates of birth
- Telephone numbers
- Account usernames and passwords for online services
- Bank account numbers and sort codes (where customers paid by direct debit)
- Employee HR information, including National Insurance numbers for some staff members
A small number of customers on the Priority Services Register may also have had sensitive information exposed from which disabilities could be inferred.
We can help you to make a no-win, no-fee compensation claim for the negligent treatment of your data and the breach of your right to privacy.