Why this ICO case matters

A new ICO enforcement case is a serious reminder that cyber security is now a board, compliance and supply-chain issue – not just an IT issue.

The ICO fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 following a cyber attack that resulted in personal information belonging to 633,887 people being extracted and published on the dark web.

The attack began with a phishing email. Malicious software then remained undetected inside the organisation’s systems for 20 months before the attacker escalated to domain administrator privileges — the highest level of access to the IT network.

This is the part every organisation should pay attention to:

The ICO found that only 5% of the IT environment was being monitored, some devices used obsolete unsupported software, and vulnerability management was inadequate.

This is not just a water sector issue.

It affects any organisation that holds personal data, relies on digital systems, manages suppliers, handles customer accounts, supports public services or operates critical infrastructure.

What went wrong?

The ICO said South Staffordshire failed to implement appropriate security controls required under UK data protection law. The failures included limited controls that allowed the attacker to escalate privileges, inadequate monitoring and logging, unsupported software, unpatched critical systems and absence of regular internal or external security scans.

The breach affected customers and employees. Published information included personal details, HR information, customer account details, bank account numbers and sort codes, and information from which disabilities could be inferred for a small percentage of customers on the Priority Services Register.

The lesson is clear:

If your organisation cannot see what is happening across its systems, it cannot properly control cyber risk.

Policies alone will not stop a phishing email.
A cyber certificate alone will not monitor your network.
A supplier declaration alone will not prove resilience.

You need evidence that controls are working.

Who is affected?

SMEs

Small businesses often assume cyber attackers are only interested in larger organisations. That is not true.

A small business can still be affected by phishing, weak passwords, unpatched devices, poor backups and supplier compromise. One incident can cause lost data, delayed payments, business disruption, customer complaints and reputational damage.

SMEs should check whether they have Cyber Essentials basics in place, including secure configuration, access control, malware protection, security updates and firewalls.

Medium Businesses

Medium sized organisations often grow faster than their governance systems.

They may have more users, suppliers, software tools and remote working arrangements – but still rely on informal controls.

Medium businesses should review access rights, monitoring coverage, patching, backup testing, supplier access and incident response.

Large Businesses

Large organisations face higher complexity and greater scrutiny.

They must show that cyber controls are not only designed but operating across departments, sites, systems and suppliers.

This is where ISO 27001 internal audits, vulnerability management checks, access reviews and board reporting become essential.

Multinationals

For multinationals, cyber governance must work across regions, systems and supply chains.

One weak location, legacy system or supplier connection can create group-wide exposure.

Multinationals should use consistent internal audit programmes, supplier assurance and data governance frameworks.

Contractors

Contractors increasingly need to prove cyber readiness before accessing client platforms, systems or data.

Weak cyber evidence can delay onboarding, block framework access or cause lost work.

Contractors should prepare Cyber Essentials evidence, data protection policies, incident response procedures and training records.

Subcontractors

Subcontractors can become the weak link in a supply chain.

If they handle client data, use shared systems, connect to portals or receive operational instructions digitally, they need clear cyber controls.

They should understand phishing, MFA, device security, data handling and incident escalation.

Public Sector Bodies

Public sector organisations and regulated bodies carry a higher duty of trust because individuals often have no choice but to share information with them.

The ICO specifically noted that customers do not choose which water company serves them, meaning trust must be honoured through serious data protection controls.

Public bodies should therefore treat supplier cyber assurance as part of procurement, contract management and governance.

Practical Actions Organisations Should Take Now

1. Review access control

Users and systems should only have the access they genuinely need. Administrator privileges should be tightly controlled, monitored and reviewed.

2. Improve monitoring and logging

The South Staffordshire case shows what happens when monitoring coverage is too low. Organisations should know which systems are monitored and whether alerts are acted upon.

3. Remove unsupported software

Legacy or end-of-life software creates avoidable risk. If systems cannot be patched or monitored properly, they should be replaced, isolated or controlled.

4. Strengthen vulnerability management

Regular scanning, patching and remediation should be part of normal operations, not a one-off project.

5. Test phishing resilience

Phishing remains a common entry point. Staff should be trained, simulated phishing should be considered, and reporting routes should be clear.

6. Review supplier access

Any supplier with access to systems or data should be assessed. Supplier controls should be evidenced, not assumed.

7. Prepare for breach response

Every organisation should know who does what in the first 24 hours after a breach. Incident response plans must be tested, not just written.

8. Build audit-ready evidence

If a client, insurer, regulator or procurement team asks for proof, you should be able to show policies, logs, scans, access reviews, training records and corrective actions quickly.

How TPMG Can Help

TPMG helps organisations move from uncertainty to control.

Relevant TPMG services include:

• Cyber Essentials readiness audits.
• Cyber Essentials Plus preparation.
• ISO 27001 internal audits.
• ISO 27701 privacy internal audits.
• Cyber and data governance reviews.
• Supplier cyber assurance.
• Business continuity reviews.
• Incident response readiness checks.
• Policy and evidence pack preparation.
• Contractor compliance support.
• Digital dashboards for risk, actions and assurance.

TPMG helps you understand what is missing, prioritise what matters most and build evidence you can stand behind.

This is not about creating fear.

It is about control, confidence and readiness.

Need confidence that your cyber controls, data protection evidence, supplier access and incident response arrangements are strong enough?

Speak to TPMG about Cyber Essentials readiness, ISO 27001 internal audits, ISO 27701 privacy audits, supplier assurance or business continuity reviews.