There’s a story out of the United Kingdom this week that every small business owner in the Triangle should read carefully. Not because it happened to a giant company. Not because it involved exotic, state-of-the-art attack techniques. The opposite: it happened because of basic, unglamorous IT failures – the same failures we see every week in small businesses across North Carolina. The price tag for those failures, finalized this week: nearly GBP1 million in fines, 4.1 terabytes of customer data dumped on the dark web, and 633,887 people’s personal information now circulating in criminal markets.

The company is South Staffordshire Water, a utility that supplies drinking water to about 1.6 million people in the English Midlands. The UK’s Information Commissioner’s Office (ICO) announced its fine this past week, closing the books on an incident that started with one bad click in September 2020 and ended with the company writing a regulator a check four and a half years later.

Here’s what happened, what they missed, and the very specific lessons your business should take from it – because every one of the failures the ICO identified is something we routinely find in small business environments here in the Triangle.

The Timeline: How One Phishing Email Became a GBP964,000 Fine

• September 11, 2020 – An employee opens a phishing email attachment. Malware called Get2 (a downloader) and SDBbot (a remote access Trojan) is installed on the network.
• September 2020 to May 2022 – The malware sits inside the network for 20 months. Undetected. The company has no idea anything is wrong.
• May 17, 2022 – The attacker begins moving laterally through the network. Using a stolen domain administrator account and Remote Desktop Protocol, they access 20 different endpoints over the next two and a half months.
• July 15, 2022 – The breach is finally detected. Not by security tools. Not by monitoring. Not by alerts. It’s discovered because IT performance issues – specifically, “unscheduled database exports” slowing down the system – prompt someone to investigate.
• July 26, 2022 – A ransom note is discovered. The attackers had unsuccessfully tried to distribute it to staff. The Cl0p ransomware group is identified as the threat actor.
• August – November 2022 – 4.1 terabytes of stolen data is published on the dark web. Names, addresses, dates of birth, bank account details, National Insurance numbers, employee HR data, and information that could reveal disabilities of vulnerable customers on the Priority Services Register.
• December 2025 – The ICO notifies South Staffordshire of its intention to issue a fine.
• May 2026 – The fine is finalized at GBP963,900 (about $1.3 million USD), reduced 40% from the original GBP1.6 million because the company admitted liability early and cooperated.

Read that timeline again. Twenty months between the initial intrusion and discovery. The only reason the attack was ever found was that the criminals got greedy and started running operations big enough to slow down the database. If they had been more patient, the breach might still be undetected today.

The Specific Failures the ICO Cited (And Why They Matter to You)

The ICO’s investigation laid out four specific security failures that justified the penalty. We are reproducing them here in order because every single one of these is something we routinely find when we walk into a small business for an environment review.

Failure 1: Use of Obsolete, Unsupported Software (Including Windows Server 2003)

Windows Server 2003 reached end of life in July 2015. At the time of the South Staffordshire breach, it had been unsupported for over five years. At the time of the fine this week, it has been unsupported for nearly eleven years. Microsoft has not released security updates for it in over a decade.

And yet a critical national infrastructure provider supplying drinking water to 1.6 million people was still running it on production devices in 2022.

For small businesses, this failure is overwhelmingly common. Walk into a 25-person law firm, a medical practice, a small manufacturer, or an accounting office and you will frequently find: a Windows Server 2008 or 2012 R2 box that hosts “an old application we still need,” a Windows 7 workstation that runs a specific piece of hardware (a label printer, a microscope, a CNC machine), an unsupported version of QuickBooks, or a piece of practice management software whose vendor stopped issuing updates years ago.

Every one of those systems is a Windows Server 2003 in waiting. The vendor isn’t fixing security bugs. The operating system isn’t getting patches. Known vulnerabilities accumulate, and they don’t get fixed – they get exploited.

Failure 2: Only 5 Percent of the IT Environment Was Being Monitored

This is the failure that allowed attackers to stay undetected for 20 months. South Staffordshire had monitoring tools in place. They covered 5 percent of the environment. The remaining 95 percent – the part where the attackers were operating – had no visibility, no logging, no alerting, and no one watching.

The ICO’s executive director, Ian Hulme, summarized it bluntly: “Waiting for performance issues or a ransom note to discover a breach is not acceptable.”

For small businesses, this is the most common gap we find. The firewall is set-and-forget. The antivirus runs on its own. There is no central log collection. There is no one reviewing security events. No one is watching for unusual administrator activity, unusual database queries, or unusual outbound network traffic. If an attacker gets onto a workstation tomorrow and starts mapping your network at 2 a.m., nobody would notice.

Failure 3: Inadequate Vulnerability Management and Unpatched Critical Systems

The ICO specifically noted that South Staffordshire had no regular internal or external security scanning. Critical systems remained unpatched. The most damaging example: the ZeroLogon vulnerability (CVE-2020-1472), a flaw in Windows Active Directory that lets an attacker take over the entire domain with no credentials. Microsoft published a patch for it in August 2020 – one month before the South Staffordshire attack began. South Staffordshire never installed it. That’s how the attacker escalated to domain administrator.

For small businesses, the question to ask honestly: when was the last time someone ran a vulnerability scan on your network and acted on the results? For most small businesses, the answer is “never.” Servers go unpatched for months at a time. Firmware on switches and firewalls is years out of date. Critical vulnerabilities published in industry advisories never get reviewed, never get prioritized, and never get fixed.

Failure 4: No Least-Privilege Enforcement

“Least privilege” means giving every user and every system only the access they need to do their job – and no more. South Staffordshire did not enforce this. Once the attackers got onto one workstation, the path to domain administrator was wide open. There was no segmentation between user accounts and admin accounts. There was nothing slowing the escalation down.

For small businesses, this is endemic. Almost every small business we walk into has employees running as local administrators on their own machines. Service accounts have far more access than they need. Old admin accounts from former employees are still active. There is no clean separation between regular user activity and privileged activity. When one machine gets compromised, the attacker often has line of sight to everything.

“But We Are Not a Water Utility – Why Does This Matter to a 15-Person Business in Raleigh?”

Three reasons.

First, the consequences are not limited to critical infrastructure. The ICO is the UK equivalent of US state attorney general offices, the Federal Trade Commission, and various federal regulators rolled into one. In the United States, the same kind of incident triggers different but equally serious consequences. State data breach notification laws (North Carolina included). HIPAA enforcement for medical practices. PCI penalties for businesses handling credit card data. FERPA obligations for educational institutions. FTC enforcement under Section 5 of the FTC Act for unreasonable security practices. Class action lawsuits from affected customers. Contractual penalties from clients whose data was exposed. None of these require you to be critical infrastructure to apply.

Second, the failures the ICO cited are not water-utility-specific failures. Unsupported software, weak monitoring, missing patches, and excessive admin rights are universal. A 12-person CPA firm in Cary has the same problems for the same reasons. A 30-person manufacturer in Smithfield has the same problems. A medical practice in Raleigh has the same problems. The size of the business doesn’t change the technical reality – it just changes the size of the fine if and when something goes wrong.

Third, the attacker pattern is the same. Cl0p didn’t pick South Staffordshire because they wanted to attack a water utility. They picked South Staffordshire because the company had a weak external posture and the attack succeeded. Most ransomware groups operate the same way – automated scanning, opportunistic targeting, going where the doors are open. Your business is not below their notice. You are simply not on their list yet.

What Small Businesses Should Actually Do

The South Staffordshire case maps cleanly onto a set of basic IT hygiene practices that every small business should have in place. Each one is achievable. None of them require an enterprise security budget.

• Inventory your software and hardware. What’s running on your network? What operating systems? What versions? What firmware? Most small businesses don’t have an answer to this question and are surprised at what shows up when we look.
• Identify and replace end-of-life systems. If your business is still running Windows Server 2008/2012, Windows 7, or any other unsupported product, that needs to be on a planned migration path. Now. Not “when we get to it.”
• Establish a patch management routine. Servers patched on a tested schedule. Workstations on auto-update with verification. Network equipment firmware reviewed quarterly. Someone whose job it is to make sure this happens.
• Run real vulnerability scans. Internal and external. Quarterly minimum, monthly preferred. Act on the findings – especially the critical ones.
• Enforce least privilege. No regular users with local admin rights. Service accounts only as privileged as they need to be. Stale accounts removed promptly. Separation between regular accounts and admin accounts.
• Get real monitoring in place. Endpoint detection and response on every workstation and server. Centralized log collection. Alerting on the security events that matter. Someone watching.
• Right-size your IT environment. Decommission what you don’t need. Reduce the attack surface. Every server you don’t really need is one less system that has to be monitored, patched, and protected.

How Pendergrass Consulting Helps

The South Staffordshire case is, frankly, the cleanest possible argument for the work we do every day. The ICO’s list of failures is essentially a checklist of the gaps we find when we walk into a small business for the first time. Closing those gaps is the work.

Our comprehensive services for small businesses across the Triangle include:

• Environment review – a full top-to-bottom look at what’s running in your business: workstations, servers, network gear, software versions, end-of-life systems, the state of patching, user accounts and admin rights, monitoring coverage, backups, and vendor relationships. You get a clear picture of where you stand.
• Configuration review – examining how your systems are actually set up versus how they should be. Identifying drift from best practices, misconfigurations that create risk, and settings that need to be hardened.
• Right-size assessment – many small businesses are over-provisioned in some areas and under-provisioned in others. Old servers that should be decommissioned. New systems that should be deployed. Right-sizing reduces both cost and attack surface.
• Network and security assessment – external and internal vulnerability scanning. Reviewing firewall and switch configurations. Identifying exposed services, weak authentication, and unpatched systems.
• Patch and update management – ongoing, so your business does not become the next case study.
• Security awareness training for employees – because every one of these incidents, including South Staffordshire’s, starts with one person clicking one thing.
• Active monitoring and incident response – so a breach gets detected in hours or days, not 20 months.

If you have never had a real environment review, a real configuration review, or a real conversation about what end-of-life software is still running in your business – that is exactly what we do. The first conversation is free. The conversation that costs you money is the one with a regulator, your lawyer, and your customers after something has already happened.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses across the Research Triangle, Raleigh, Cary, Wake County, Johnston County, and nationally for web, hosting, email, cloud backup, cybersecurity, and digital marketing services.