Water Company Fined After Cyber Attack Led to Data Breach

A water company has been fined nearly £1 million by the Information Commissioner's Office (ICO) after a cyber attack led to the personal data of customers and employees being published on the dark web.

The company began an investigation in July 2022 after experiencing IT performance issues. The investigation revealed that an attachment to a phishing email had been opened in September 2020, allowing a hacker to install malicious software which remained undetected. In May 2022, the hacker had obtained domain administrator privileges. Personal information relating to more than 633,000 UK data subjects, including current and former customers and employees, was subsequently published on the dark web. This included personal details such as names, addresses and dates of birth; customers' usernames and passwords, bank details and financial status; employees' National Insurance numbers and, for a small percentage of customers, information from which disabilities could be inferred.

The ICO concluded that, during the relevant period, the company had infringed Article 5(1)(f) and Article 32(1) of the UK General Data Protection Regulation (GDPR). It had failed to properly implement the principle of least privilege, where accounts and users have the minimum access needed to perform their role, and had not implemented adequate security monitoring and logging. It had also failed to migrate away from devices running obsolete software, such as a version of Windows for which extended support had ended in July 2015, and to implement adequate vulnerability management.

The ICO found that imposing a penalty would, in the circumstances of the case, be an effective means of ensuring compliance with the UK GDPR, sanctioning the infringements and acting as a deterrent against future non-compliance. It would also be a proportionate regulatory response. The infringements were within the medium seriousness category, considering the nature, scope and purpose of the relevant processing, the number of data subjects affected and the level of damage they had suffered.

The ICO noted that the company had cooperated with its investigation, including proactively communicating an admission of infringement of Article 5(1)(f) and Article 32(1). It had reported the data breach and taken steps to mitigate the damage to data subjects. After taking into account those mitigating factors and a settlement discount, the ICO imposed a penalty of £963,900.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.