Tech
ICO fines Cl0p victim South Staffs Water over data breach | Computer Weekly
Utility operator South Staffordshire Plc and its subsidiary South Staffordshire Water Plc have been fined a reduced rate of £964,900 by the Information Commissioner’s Office (ICO), following improvements made after a Cl0p ransomware attack that led to the personal data of over 600,000 people being leaked onto the dark web.
The cyber attack itself came to light in August 2022, and was at first the source of some confusion when the Cl0p gang misidentified its victim and claimed it was attacking and extorting Thames Water. The cyber criminals even published a lengthy rant against Thames Water and accused it of ignoring them, and not caring about its customers. The hapless cyber crooks’ erroneous claims were widely repeated across the UK media at the time.
The exposed data included personal details of South Staffordshire customers, such as full names, birthdates and gender information, account information including credentials for online services, financial data including bank account numbers and sort codes, and contact details including email and postal addresses, and phone numbers.
A small percentage of customers listed on the Priority Service Register had information exposed from which medical information may have been inferred, and a small number of employees were also affected by a leak of human resources data including National Insurance numbers.
The ICO said the incident exposed “significant failures” in its approaches to data security, and left both its customers and employees vulnerable for years.
“Customers do not have the choice over which water company serves them – they are required to share their personal information and place their trust in that provider,” said Ian Hulme, ICO interim executive director for regulatory supervision.
“It is therefore essential that water companies honour that trust by taking their data protection responsibilities seriously.”
Lying low
Although the cyber attack itself took place in 2022, the incident in fact dates back to 2020, when an individual at South Staffordshire fell for a phishing email that enabled the threat actors to install malware on its systems undetected.
Though it is unclear whether or not Cl0p first hacked South Staffordshire’s systems itself or obtained the keys through an initial access broker (IAB), by May of 2022 – 20 months later – the gang started to move laterally through South Staffordshire’s network and was able to compromise domain administrator privileges. However, Cl0p’s presence was not detected until the middle of July, when IT performance issues prompted an internal investigation.
On 26 July 2022, South Staffordshire’s IT teams reported a personal data breach to the ICO – then, two days later, discovered a ransom note that Cl0p had tried to distribute to staff members – apparently without success.
However, the extent of the data leak did not become apparent for another four months, when South Staffordshire discovered that over 4.1 terabytes of data had been published.
In the course of its probe, the ICO said it had found South Staffordshire had not implemented appropriate security controls required of it in UK law. Failings included limited controls that enabled Cl0p to elevate its privileges, inadequate monitoring and logging that failed to detect its activity, the use of obsolete software – including Windows Server 2003, and inadequate vulnerability management, with systems left unpatched, and internal and external security scanning not undertaken.
“The steps that South Staffordshire failed to take are established, widely understood and effective controls to protect computer networks,” said Hulme. “The ICO expects all organisations – and particularly those handling large volumes of personal information as part of critical national infrastructure – to have these in place.
“Waiting for performance issues or a ransom note to discover a breach is not acceptable,” he added. “Proactive security is a legal requirement, not an optional extra.”
Cyber improvements
The ICO said the total fine of just under a million pounds – which is a 40% reduction on the initial amount proposed – was a voluntary settlement that reflected South Staffordshire’s representations and accounted for various improvements made in the wake of the incident, as well as the proactive support the organisation offered to those affected, and its engagement with regulators and the National Cyber Security Settlement.
It added that South Staffordshire had made an early admission of liability, and in accepting its findings, agreed to pay the penalty without further appeal.
“We welcome South Staffordshire’s early admission and cooperation in this case, allowing us to reach a voluntary settlement and save resources,” noted Hulme.
South Staffordshire has been contacted for comment but had not responded to our inquiries at the time of publication.