KP Law is looking to help those affected to claim compensation. Register your interest in the potential claim today.
If you are a current or former customer or employee of South Staffordshire Water, your personal information may have been exposed in a major cyber attack affecting hundreds of thousands of individuals.
In May 2026, the Information Commissioner’s Office (ICO) fined South Staffordshire Plc and South Staffordshire Water Plc following a major cyber incident which compromised the data of over 600,000 people in 2022. The ICO found failures in its handling of customer and employee data.
KP Law is now investigating a potential group action on behalf of affected individuals.
Register your interest today to receive updates and find out whether you could be eligible to bring a claim.
The ICO found that cyber criminals were able to gain access to South Staffordshire Water’s systems and publish sensitive personal information on the dark web following a prolonged cyber attack.
The cyber incident appears to have started in September 2020, when attackers first gained access to the company’s network after a phishing email allowed malicious software to be installed on a computer system.
This went undetected for 20 months, with the hacker compromising the highest level of system access to the IT network in May 2022. This is what ultimately led to the exposure of personal data belonging to current and former customers and employees.
The breach was only identified in July 2022 when an internal investigation was prompted by IT performance issues.
The ICO concluded that South Staffordshire Water failed to implement appropriate technical and organisational security measures required under UK data protection law.
KP Law understands the seriousness of this incident and the concern it may cause to affected individuals. We are investigating a potential claim on behalf of customers and employees whose personal information may have been compromised.
The ICO found that approximately 4.121TB of data was ultimately published on the dark web, affecting around 633,887 UK data subjects.
The exposed information may have included:
The ICO also confirmed that some highly sensitive special category data was exposed, including information relating to race, ethnicity and religious beliefs for certain individuals.
South Staffordshire Water notified hundreds of thousands of affected individuals following the breach, including customers whose banking information and Priority Services Register data had been compromised.
Following its investigation, the ICO concluded that South Staffordshire Water and South Staffordshire Plc had infringed Article 5(1)(f) and Article 32(1) of the UK GDPR by failing to implement appropriate security measures.
The ICO identified several major security failings, including:
The regulator found that these failings allowed attackers to move laterally through the company’s systems with limited resistance. The ICO also noted that some systems remained unpatched against known vulnerabilities for extended periods.
As a result, the ICO issued a monetary penalty notice totalling £963,900 against South Staffordshire Plc and South Staffordshire Water Plc in May 2026. More can be found here.
Get in touch today if:
Under the UK GDPR and Data Protection Act 2018, you are entitled to compensation if you suffer either material or non-material damage due to a data breach.
Our team at KP Law has extensive experience holding organisations accountable for data misuse and cybersecurity failures. We operate on a no-win, no-fee basis, meaning there is no cost to you unless your claim succeeds.
KP Law is one of the leading law firms in England & Wales specialising in group action litigation. We act for consumers and employees whose rights have been compromised by large organisations failing to protect sensitive personal data.
Click the link below to complete our short registration form. We’ll provide updates as our investigation progresses.
Register your details in less than 2 minutes
Pay nothing unless your claim is successful
Join thousands of others seeking justice
Take action now – don’t let South Staffordshire Water's failure go unanswered.
The ICO confirmed that personal data stolen during the attack was published on the dark web, increasing the risk of identity theft, fraud attempts and phishing scams.
Where financial information, payroll data, account credentials or sensitive personal details are exposed, cyber criminals may attempt to:
The breach also involved data relating to individuals on South Staffordshire Water’s Priority Services Register, meaning some vulnerable individuals may face heightened risks following the exposure of their information.
If you believe your data may have been affected, you should remain cautious of suspicious emails, calls, texts and online messages and monitor your financial accounts carefully.
If you believe your data may have been accessed, you should follow the below steps to protect yourself from further harm:
Change your login details for your South Staffordshire Water account and ensure your other accounts use strong, unique passwords. Customers were also advised to change passwords and enable two-factor authentication (2FA) at the same time as a precautionary measure.
Stay alert for suspicious calls, texts or emails. Whilst the breach included limited betting account information and recent activity on accounts, there's still a risk that even limited personal information could be used in phishing scams.
Be aware of any unexpected activity on your accounts - consider getting a copy if your credit file to check for identity misuse after the breach.
Learn how to stay safe following a data breach:
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
Financial loss
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
Distress
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
Loss of privacy
Please note that claims for personal injury or recognised psychiatric injury are generally subject to a three-year limitation period from the date of the incident. As the matters under investigation occurred in 2022, such claims may now be time barred. However, this does not prevent claimants from pursuing claims for distress, loss of control of personal data, or other non-material damage arising from the data breach.
If you wish to pursue a claim for personal injury or psychiatric injury, you are free to seek independent legal advice or consult an alternative legal representative.
Your questions answered
See our answers to the FAQs we get asked about the South Staffordshire Water Data Breach.
South Staffordshire Water suffered a major cyber attack that began in September 2020 after attackers gained access through a phishing campaign. Attackers remained undetected within the network for an extended period before stealing and publishing large quantities of personal data on the dark web.
Paddy Power and Betfair contacted affected customers to alert them of the incident, providing some online safety advice.
The ICO confirmed that approximately 633,887 UK data subjects had personal data published on the dark web following the breach.
The exposed data reportedly included names, addresses, contact details, dates of birth, financial information, National Insurance numbers, HR records, usernames, passwords and certain sensitive personal data.
The ICO concluded that South Staffordshire Water and South Staffordshire Plc failed to implement appropriate cybersecurity measures and issued a monetary penalty notice of £963,900.
South Staffordshire Water released this FAQ on their website about the breach: https://www.south-staffs-water.co.uk/help-and-advice/support
South Staffordshire Water notified hundreds of thousands of affected individuals following the breach, including customers and employees whose information was believed to have been compromised.
If you were affected by the South Staffordshire Water data breach, you may be entitled to compensation. Register with KP Law today to receive updates regarding our investigation and any potential group action claim.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.
There are no costs to join our claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.
