Monopoly, Neglect and a Near‑Million Pound Fine: Lessons from South Staffordshire Water

Episode notes

They said the fine was £828,000 in some headlines — the ICO said £963,900. Numbers matter, but the real scandal is deeper than a headline figure: this is about trust, monopoly, and a regulator that finally acted. In this episode the Small Business Cybersecurity Guide tells the story of how a single phishing email in September 2020 became a twenty‑month lodger inside a utility network, and how a monopoly provider of an essential service left hundreds of thousands of people exposed. It starts small: a malicious attachment, a foothold, then complacency. For almost two years the attacker lived in the estate, quiet and unseen, until May 2022 when they began a methodical campaign of lateral movement and privilege escalation. By July they held domain administrator access — the keys to the kingdom. They weren’t stealthy ninjas; they were guests who moved in, opened the cupboards, and helped themselves. Detection? Not artisanal monitoring or heroic threat hunting. It was system performance degradation — the IT equivalent of noticing the house is on fire because the TV has melted.