South Staffordshire Plc – €1,127,763 Fine (United Kingdom, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Another fine was imposed on South Staffordshire Plc for a different cyber attack that exposed even more personal data. The company failed to secure its systems, allowing a hacker to access sensitive information. This case serves as a warning for businesses to prioritize data protection.
What happened
South Staffordshire Plc experienced a cyber attack where a hacker accessed and stole personal data from their systems.
Who was affected
Around 633,887 individuals whose personal information was compromised during the attack.
What the authority found
The Information Commissioner's Office found that South Staffordshire Plc did not have sufficient security measures to prevent the data breach.
Why this matters
This incident reinforces the need for businesses to take data security seriously. Companies should regularly review and improve their cybersecurity practices to protect user information.
GDPR Articles Cited
Entities Involved
South Staffordshire Plc (the controller) is an integrated services group that operates a regulated water company, South Staffordshire Water Plc, as well as several complementary non-regulated businesses that serve essential services in the UK. In July 2022, the controller became aware of a cyber-attack in which the threat actor used Cobalt Strike on multiple devices to enable command-and-control communications. The controller launched an investigation and determined that the initial access had occurred in September 2020 through a successful phishing campaign. Opening a malicious email attachment resulted in the installation of Get2 and the SDBBOT Remote Access Trojan, which enabled persistence on the endpoint. The threat actor is understood to have remained dormant, with potential access to the network, until May 2022. The controller later discovered a ransom note that the threat actor had unsuccessfully attempted to distribute to certain staff members. In that note, the threat actor claimed to have exfiltrated 5.5TB of data. The controller identified an approximate total of 4.121 TB of exfiltrated data published on the dark web. The published data included the personal data of approximately 633,887 UK data subjects. This comprised current customers, former customers, individuals on the Priority Services Register, current and former employees. The following categories of personal data were published on the dark web: personal details (full name, physical address and email address, date of birth/age, gender, telephone number); for employees only, HR information (employee number, applicant number, National Insurance number, username and password); for customers only, account information (customer reference number, property information including occupant information, bank account number and sort code, financial status information, Priority Services data, username and password); for a small percentage of customers on the Priority Services Register, information from whi
Related Enforcement Actions (1)
Other enforcement actions involving South Staffordshire Plc in UK
Details
Fine Date
7 May 2026
Authority
Information Commissioner's Office
Fine Amount
€1,127,763
963,900 GBP
GDPRhub ID
gdprhub-10004About this data
Cite as: Cookie Fines. South Staffordshire Plc - United Kingdom (2026). Retrieved from cookiefines.eu
Last updated: