ZeroLogon — Netlogon privilege escalation; chained by Cl0p in South Staffordshire Water 2020-2022 intrusion (cited in ICO 2026-05-11 enforcement)

The UK Information Commissioner's Office on 2026-05-11 issued a £963,900 fine against South Staffordshire Plc and its water-supply subsidiary for the 2020–2022 intrusion. The ICO's published findings cite inadequate vulnerability management, unpatched critical systems, obsolete unsupported software (the estate still contained Windows Server 2003, EOL since July 2015), and incomplete SIEM coverage; the regulator does not name a CVE or threat actor in its public notice. The technical kill-chain detail — phishing initial access in September 2020 → CVE-2020-1472 (ZeroLogon, T1068) against two unpatched domain controllers → domain admin → ~20 months of unimpeded lateral movement → detection in July 2022 when IT performance degraded — comes from The Record's reporting, as does the Cl0p attribution. The ICO press release records that data on about 1.85 million customers (approximately 750,000 current and 1.1 million former) was held by the company, of which 633,887 individuals had data published on the dark web, and that the published dataset totalled over 4.1 TB including customer credentials, bank account/sort codes, Priority Services Register data (from which disability status can be inferred) and HR records (The Register, 2026-05-11). The fine was reduced 40% on the basis of early admission and cooperative engagement; South Staffordshire agreed not to appeal.

Why it matters to us: The ICO action is the first significant post-Cyber-Security-and-Resilience-Bill UK regulatory action against a water-sector OES, and the regulator's operational findings transfer verbatim to NIS2 Article 21 technical measures and the German KRITIS-DachG public-administration scope that came into force this spring. Concrete defender takeaway: (a) measure your actual SIEM/XDR coverage percentage by hostname inventory rather than by sensor-licence count — partial coverage on a high-value subset is materially worse than uniform sampling; (b) the ZeroLogon pivot reported by The Record is a long-tail patch-management hygiene point on domain controllers any SOC can audit against; (c) detection logic that survives this case maps to Sysmon-class auditing of DC authentication events — 4742 (account changes) and 4769 Kerberos service-ticket anomalies — after vendor disclosure of any DC-impacting CVE.

For any NIS2 / KRITIS-DachG / CER essential-entity SOC: measure SIEM / XDR coverage by hostname inventory rather than by sensor-licence count. The South Staffordshire 5% finding is what the ICO judged as inadequate for a water OES; with NIS2 transposition in force across the EU and KRITIS-DachG live in Germany, regulators are now armed with a concrete UK precedent for what "proportionate technical measures" failure looks like in court. Practical first step: pull a list of every Active Directory–joined host from AD; cross-reference against the EDR / SIEM source list; flag the delta. The delta is what the ICO would call the gap.