South Staffs Water breach 634,000 affected

South Staffordshire Plc and South Staffordshire Water Plc were fined £963,900 by the Information Commissioner’s Office on May 11 after a cyber attack led to the personal data of 633,887 people being extracted and published on the dark web. The ICO said the attack began with a phishing email in September 2020 and remained undetected for 20 months before the breach was identified in July 2022. The regulator said the compromised information included names, addresses, dates of birth, phone numbers, bank details and, for some employees, National Insurance numbers. BBC reporting published on May 24 said some affected customers later faced scam emails, fraud attempts and a lasting loss of trust. ### How did the breach begin and how long did it go unnoticed? The ICO said the breach began when a recipient opened an email attachment that installed malicious software inside the company’s systems. The regulator said the attacker later moved through the network in May 2022, obtained domain administrator privileges and was discovered only after IT performance problems triggered an internal investigation on July 15, 2022. (ico.org.uk) On July 24, 2022, the company reported a personal data breach to the ICO, and on July 26 it found a ransom note that the hacker had unsuccessfully tried to distribute to some staff, according to the regulator. Between August and November 2022, South Staffordshire detected that more than 4.1 terabytes of data had been published on the dark web, the ICO said. (ico.org.uk) ### Whose data was exposed? The ICO said South Staffordshire held personal information on about 1.85 million customers at the time of the attack, including roughly 750,000 current customers and 1.1 million former customers, as well as thousands of current and former employees. Of those records, 633,887 people had personal information published on the dark web in August 2022, according to the regulator. (ico.org.uk) The ICO said the exposed data included full names, physical addresses, email addresses, dates of birth, gender and telephone numbers. For customers, the compromised information also included account credentials for South Staffordshire Water online services and bank account numbers and sort codes; for employees, it included HR information such as National Insurance numbers. For a small percentage of customers on the Priority Services Register, the data also included information from which disabilities could be inferred, the regulator said. (ico.org.uk) ### What have affected customers said happened afterward? BBC reporting on May 24 cited customers who said the breach was followed by scam emails and identity-related fraud. Chris Durham, 53, of Halesowen, told the BBC that two phone contracts were taken out in his name after the hack, including one for an iPhone due to be delivered in London. He said it took months to recover his money and described himself as “frustrated, stressed and violated.” (ico.org.uk) The BBC report said Durham also described lasting mistrust after the breach, saying he now checks his bank account constantly for unusual activity. South Staffordshire said in the same report that it “remained focused on learning from this incident and maintaining strong safeguards across the group.” ### Why does the Shetland fraud warning matter here? The Shetland Times reported on May 23 that a local technology expert warned of an increase in scam emails and said one message posing as a well-known Lerwick shop originated in Kazakhstan. (ca.news.yahoo.com) The report did not tie that case directly to South Staffs Water, but it described the same type of impersonation and credential-harvesting risk that often follows large data exposures. The National Cyber Security Centre has also flagged a rise in credential-harvesting campaigns impersonating HMRC, major banks and NHS digital services, the Shetland Times said. That report advised people not to click suspicious links and not to reuse passwords across accounts. ### What is South Staffs Water telling customers to do now? South Staffs Water’s incident support page says affected customers can review notification details, available support and guidance on phishing, vishing and identity theft. (shetlandtimes.co.uk) The company’s FAQ also says customers can find information on credit monitoring through TransUnion TrueIdentity, whether bank details were affected and what to do if suspicious activity appears later. The company’s support page remains live as of May 24, 2026, and the ICO’s penalty notice was issued on May 11, 2026. Those two sources set the next reference points for affected customers: the regulator’s findings and the company’s own incident-response guidance. (ico.org.uk) (south-staffs-water.co.uk)