← Back to Regulatory Updates

Regulatory Update • May 2026

ICO Issues £963,900 Fine After Major Cyber Attack

Published: 11 May 2026 Topic: Cyber Security / Data Breach Source: ICO Enforcement

The ICO has issued a £963,900 fine following a major cyber attack affecting more than 630,000 individuals.

The enforcement action is a useful reminder that data protection compliance is not only about policies. Organisations also need practical security controls, monitoring, access management and breach prevention measures.

Reading time 2 minutes

What changed

The ICO issued a £963,900 fine against South Staffordshire Plc and South Staffordshire Water Plc following a major cyber attack that affected personal data relating to more than 630,000 people.

The ICO said attackers were able to access the organisation’s network through a phishing email and that the initial access went undetected for a significant period. The case highlights how cyber security controls, monitoring, access management and incident detection all form part of practical data protection compliance.

Why does a cyber attack become a data protection issue?

A cyber attack becomes a data protection issue when personal data is accessed, lost, altered, disclosed, or put at risk. UK GDPR requires organisations to use appropriate security measures, which means technical controls, staff awareness, access management and monitoring all matter.

Why this matters

This enforcement action is a reminder that data protection compliance is not limited to privacy notices, policies or consent wording. If personal data is held by an organisation, the organisation also needs appropriate cyber security and governance controls around that data.

The case is especially relevant for organisations that hold large volumes of customer, employee or service-user data. Phishing, excessive access rights, weak monitoring and delayed detection can all increase risk. For wider updates across privacy, cyber security and data protection, see our Regulatory Updates page.

What organisations should do

Organisations should treat this case as a prompt to review basic cyber resilience and data protection security controls.

  • Review phishing training and staff awareness processes.
  • Check whether privileged access and administrator accounts are properly restricted.
  • Review monitoring and alerting arrangements so unusual access is identified quickly.
  • Check whether incident response processes are clear, tested and understood internally.
  • Review whether personal data holdings, systems and security risks are properly documented.

Practical takeaway

Cyber security is part of data protection compliance. Organisations should not wait for an incident before reviewing phishing controls, access rights, monitoring, incident response and the security of systems holding personal data.

Grounded in

ICO enforcement action against South Staffordshire Plc and South Staffordshire Water Plc, including findings relating to cyber security, phishing, delayed detection, and the protection of personal data under UK GDPR.

Sources