Full Report
What Happened:On 11 May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Water £963,900 after the Cl0p ransomware group lurked completely undetected in its network for nearly two years. Initial access reportedly occurred via a malicious phishing email in September 2020, which downloaded Cl0p’s Get2Loader malware and their SDBBOT backdoor to establish persistence. The breach itself, however, was only discovered two years later in July 2022 when staff began investigating IT performance slowdowns. South Staffs Water ultimately found out that 4.1 terabytes of data was exfiltrated and the personal data of 633,887 customers and employees being published in August 2022 on Cl0p’s Tor data leak site.The ICO’s investigation also revealed a staggering list of systemic failures. The ICO exposed that South Staff’s outsourced Security Operations Center (SOC) was blind to 95% of the network and that they conducted zero internal or external vulnerability scans over an 18-month window. At the time of the attack they were still running Windows Server 2003 machines long after extended support ended. Further, two of their domain controllers were left completely unpatched against ZeroLogon (CVE-2020-1472), a critical, easily exploitable vulnerability published years before the intrusion.Analyst Comment:This case is a sobering look at the technical debt hiding inside the UK’s Critical National Infrastructure (CNI). A dwell time of nearly two years is practically unheard of in modern ransomware operations, and the TTPs used by the adversary points to a total breakdown of their defences. Cl0p didn’t need sophisticated, state-sponsored techniques or zero-days to pull this one off, they just walked back in through an infection that went undetected.The ICO’s findings also reveal the reality that many UK organisations still treat cybersecurity as a set-and-forget compliance check rather than routine efforts to mature and upgrade systems or proactive measures to hunt and detect threats lurking inside the network.Defensive Takeaways:Audit Your Outsourced SOC: Never assume the third-party security provider sees everything or is doing everything right. Establish audits to verify that endpoint telemetry and logs from your entire estate are actively ingested and retained into a monitoring platform.Harden Your Crown Jewels Against Old Flaws: Ensure that active directory and domain controllers are strictly monitored and prioritised for critical patches. Vulnerabilities like ZeroLogon remain a ransomware operator’s favorite tool for fast lateral movement and escalation to Domain Admin access.Relevant Sources:https://ico.org.uk/media2/xdrfahsw/south-staffordshire-plc-and-south-staffordshire-water-plc-monetary-penalty-notice.pdfhttps://therecord.media/uk-water-company-had-hackers-lurking-for-yearshttps://www.bleepingcomputer.com/news/security/uk-fines-water-supplier-13m-for-exposing-data-of-664k-customers/https://www.theregister.com/cyber-crime/2026/05/11/ico-fines-south-staffordshire-963k-over-2022-breach/5237875https://www.theregister.com/security/2022/08/18/ransomware-attack-on-a-uk-water-company-clouded-by-confusion/1394557Relevant CTI Resourceshttps://malpedia.caad.fkie.fraunhofer.de/details/win.clop https://malpedia.caad.fkie.fraunhofer.de/details/win.get2https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbothttps://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/
Analysis Summary
# Incident Report: Cl0p Ransomware Breach of South Staffordshire Water
## Executive Summary
South Staffordshire Water was targeted by the Cl0p ransomware group in a breach that remained undetected for nearly two years, resulting in the theft of 4.1 TB of data. The intrusion exploited severe systemic failures, including unpatched vulnerabilities (ZeroLogon) and an outsourced SOC that lacked visibility into 95% of the network. The incident concluded with the publication of personal data for over 633,000 individuals and a £963,900 fine from the UK Information Commissioner’s Office (ICO).
## Incident Details
- **Discovery Date:** July 2022
- **Incident Date:** September 2020 – August 2022
- **Affected Organization:** South Staffordshire PLC (South Staffordshire Water)
- **Sector:** Critical National Infrastructure (CNI) / Water Utility
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** September 2020
- **Vector:** Phishing Email
- **Details:** A malicious email was used to deliver Get2Loader malware, which subsequently dropped the SDBBOT backdoor to establish a long-term foothold.
### Lateral Movement
- **Details:** Attackers exploited critical, unpatched vulnerabilities, specifically ZeroLogon (CVE-2020-1472), on two domain controllers to escalate privileges and move through the environment.
### Data Exfiltration/Impact
- **Details:** Throughout the two-year dwell time, the actors exfiltrated 4.1 terabytes of data. In August 2022, the personal data of 633,887 customers and employees was published on Cl0p’s Tor-based leak site.
### Detection & Response
- **July 2022:** Breach discovered after staff investigated significant IT performance slowdowns.
- **August 2022:** Data publication by Cl0p confirmed the extent of the exfiltration.
- **May 11, 2026:** ICO issued a monetary penalty of £963,900 following a forensic investigation into systemic security failures.
## Attack Methodology
- **Initial Access:** Phishing email.
- **Persistence:** SDBBOT backdoor.
- **Privilege Escalation:** Exploitation of CVE-2020-1472 (ZeroLogon).
- **Defense Evasion:** Use of legacy systems (Windows Server 2003) and exploitation of SOC visibility gaps (95% of the network was not monitored).
- **Credential Access:** Domain Controller compromise via ZeroLogon.
- **Discovery:** Identifying IT performance issues (by the victim) after 22 months of activity.
- **Lateral Movement:** Exploit-driven movement across domain controllers.
- **Collection:** Gathering 4.1 TB of sensitive corporate and personal data.
- **Exfiltration:** Data uploaded to Cl0p’s Tor leak site.
- **Impact:** Massive data breach and significant regulatory fine.
## Impact Assessment
- **Financial:** £963,900 ICO fine; additional undisclosed costs for remediation and forensics.
- **Data Breach:** 4.1 TB of data stolen; sensitive PII of 633,887 individuals exposed.
- **Operational:** System performance degradation noticed by staff; necessity to overhaul legacy infrastructure.
- **Reputational:** High-profile failure of Critical National Infrastructure (CNI) protection.
## Indicators of Compromise
- **Network indicators:** Tor leak site communication; traffic to known Cl0p C2 infrastructure (URLs defanged in sources).
- **File indicators:** Get2Loader malware; SDBBOT backdoor.
- **Behavioral indicators:** Abnormal IT performance slowdowns; unauthorized access to Domain Controllers using ZeroLogon.
## Response Actions
- **Containment:** Forensic investigation into IT performance issues leading to the discovery of the intruder.
- **Eradication:** Requirement to patch or decommission Windows Server 2003 legacy systems and address ZeroLogon vulnerabilities.
- **Recovery:** Notification of 633,000+ affected data subjects and coordination with the ICO.
## Lessons Learned
- **Visibility is Central:** An outsourced SOC is ineffective if it only monitors 5% of the environment.
- **Technical Debt Kills:** Running Windows Server 2003 long after the end of support creates indefensible gaps.
- **Patch Management:** Failing to patch "headline" vulnerabilities like ZeroLogon years after their release provides attackers with an easy path to Domain Admin.
## Recommendations
- **Audit Managed Services:** Conduct regular technical audits of outsourced SOC providers to ensure log ingestion covers 100% of critical assets.
- **Vulnerability Scanning:** Implement a rigorous schedule of internal and external vulnerability scans; the 18-month gap in scanning at South Staffs was a primary failure.
- **Modernize Infrastructure:** Prioritize the decommissioning of EOL (End of Life) operating systems that cannot be properly defended against modern TTPs.