Hackers hid inside major UK water utility for nearly 2 years

(Arcaion / Pixabay)

By Chris Riotta • May 12, 2026

A British privacy regulator fined a major water supplier nearly $1.3 million after finding the utility left longstanding security gaps unaddressed across its corporate network, allowing a ransomware intrusion to expose personal information affecting more than 633,000 customers, employees and contractors.

The U.K. Information Commissioner’s Office said Monday it fined South Staffordshire Water and parent company, South Staffordshire, 963,900 pounds following an investigation into a 2022 cyberattack that compromised names, dates of birth, contact information, payment details, online account credentials and limited health-related information. The penalty notice links the breach to a September 2020 phishing attack that installed malware inside the company’s corporate network.

“Customers do not have the choice over which water company serves them,” said Ian Hulme, ICO interim executive director for regulatory supervision. “They are required to share their personal information and place their trust in that provider.”