AI Autopsy: South Staffordshire Water’s £1m Lesson in Visibility

Attackers spent almost two years inside South Staffordshire Water’s IT network before anyone noticed. By the time the breach was discovered, they had obtained domain administrator privileges, exfiltrated 4.1 terabytes of data, and compromised personal information relating to almost 633,000 individuals. The incident ultimately cost the utility provider nearly £1m in regulatory fines from the Information Commissioner’s Office (ICO).

The attack itself is not especially unusual. But what makes the case noteworthy is how threat actors were able to remain undetected for so long.

A litany of errors

According to the ICO’s detailed write-up, the incident began in September 2020 when an employee opened a phishing email. That resulted in the installation of the Get2 downloader and the SDBbot remote access Trojan (RAT). Phishing remains one of the most common routes into corporate networks. But the regulator’s findings show how a routine intrusion can become something much more serious.

After nearly two years, the threat actor began moving laterally through the water company’s network on 17 May 2022. They used a domain administrator account and the remote desktop protocol to access 20 endpoints between that date and August 4.

“If you aren’t actively verifying your controls, you aren’t actually protected” Chris Gilmour

By the time they obtained privileged credentials, they were effectively able to move wherever they wanted and access large amounts of sensitive information. The attackers’ haul included personal information relating to customers, employees, pensioners, and vulnerable individuals. Some of that information was later published on the dark web after the water company refused to pay a ransom demand.

According to the ICO, the threat actors were not identified through a monitoring alert, a threat-hunting exercise or a vulnerability assessment. The breach came to light because systems started behaving abnormally.

Only about 5% of South Staffordshire’s IT estate was actively monitored, the ICO revealed. The water company had not conducted any vulnerability scanning during the period and was still operating legacy infrastructure, including Windows Server 2003. None of the ICO’s findings would raise many eyebrows on their own, as legacy systems, patching backlogs and monitoring gaps exist in plenty of organisations. The report shows how those issues can combine to make a bad situation much worse.

A failure years in the making

“This wasn’t a sophisticated nation-state attack that overwhelmed a well-defended organisation,” Avella Security CISO, Tom Pepper, tells Assured Intelligence. “It was a visibility failure years in the making that nobody chose to fix.”

That assessment cuts to the heart of the case. The ICO’s findings suggest this was not an organisation defeated by an advanced adversary, but one that struggled to see what was happening inside its own environment.

The South Staffordshire case is not a story about a sophisticated attack. It is a story about 20 months of silence and also what that silence cost,” Palo Alto Networks senior engineering manager, Mona Rajhans, tells Assured Intelligence.

By the time the breach was discovered, the attackers had already achieved their objectives, obtained privileged access, and extracted large volumes of data.

Don’t wait to be alerted

Shane Fry, CTO at RunSafe Security, tells Assured Intelligence: “This breach shows how quickly attackers can turn a minor foothold into total control when systems aren’t hardened against exploitation. Twenty months of undetected access and domain-level compromise is exactly what happens when organisations rely on detection alone.”

“One mistake shouldn’t become an organisation-wide catastrophe” Tom Pepper

The lesson is to assume detection will sometimes fail, he argues. Security architectures need to be built around containing malicious activity after a compromise, rather than assuming breaches can always be identified quickly enough to prevent damage.

“Critical infrastructure needs exploit-resilient architectures that eliminate the attacker’s ability to escalate, because AI-driven adversaries won’t wait for you to patch or monitor every endpoint,” Fry adds.

When one phishing email becomes everyone’s problem

Allan Dabre, AI risk and technology compliance leader at PwC, tells Assured Intelligence: “This incident is a classic case of not getting the basics right.”

He says best practices such as access controls, role-based permissions, regular access reviews, and multi-factor authentication (MFA) could have helped. Although they sometimes receive less attention than more eye-catching security technologies, they play a critical role in limiting attacker movement.

Avella’s Pepper agrees. “Least privilege was absent. Once inside, the attacker moved laterally until they held domain administrator credentials, giving them access to everything,” he says. “Better access controls wouldn’t have stopped the initial phishing compromise, but they’d have contained the damage considerably. One mistake shouldn’t become an organisation-wide catastrophe. That only happens when the architecture lets it.”

Least privilege isn’t designed to stop every compromise. Its purpose is to ensure that when a compromise occurs, attackers do not automatically inherit access to the rest of the organisation.

Regulators now want proof

The penalty notice makes clear that having security controls on paper is one thing, but showing they work is another.

“AI-driven adversaries won’t wait for you to patch or monitor every endpoint” Shane Fry

“Under GDPR Article 5(2), it is not enough for a company to claim they have robust defences; they must be able to evidence them,” Chris Gilmour, CTO at Axians UK, tells Assured Intelligence. “We strongly believe a ‘test, don’t trust’ mentality is essential; if you aren’t actively verifying your controls – via security testing, table-top exercises, or crisis simulations – you aren’t actually protected.”

CISOs must also ensure controls evolve at the same pace as the environment around them, he adds.

The boardroom question

Nearly four years passed between the initial compromise and the ICO’s penalty notice, but the lessons learnt remain relevant today.

Avella’s Pepper argues that monitoring gaps of this scale rarely emerge overnight, but are usually the product of deferred investment, unclear ownership, and security teams that lack the authority to force difficult conversations.

For CISOs, that may be the hardest issue to fix. The technical problems identified by the ICO are largely solvable. The governance problems are often much more challenging to address.

As Pepper puts it: “The question every CISO should sit with after reading this: can you tell your board, with actual evidence, what percentage of your estate is monitored right now? Not approximately. Specifically. If the answer is vague, the lesson from South Staffordshire isn’t theoretical.”