The company, which provides drinking water to approximately 1.3 million people, has warned customers who were affected to improve the security of their banking and apologised for the data theft in August which was only revealed last month.
South Staffs Water is working with "leading the police and relevant Government agencies about the cyber attack".
Andy Willicott, managing director or South Staffs Water said: “We understand that customers trust us to keep their data safe and I’d personally like to say sorry to all those customers impacted – we’ll be doing what we can to support you through this.
“We will continue to invest in protecting our customers, our systems, and our data. We continue to supply safe water to all of our South Staffs Water customers. Our customer service, operations and maintenance teams also continue to operate as usual.”
The company has created an advice and support web page for customers who are worried their bank accounts could be vulnerable to further attackers.
Explaining what had been stolen in the cyber attack, the company said: "The data affected in the incident was the name and address of the water account holder, together with the sort code and account number used for the Direct Debit and other information needed to operate your water account and provide you with fresh drinking water.
"Our investigation into this incident is ongoing and we are still assessing the potential impact on customer data. As we identify groups of customers who need to take action because their data has been impacted we are, of course, notifying them as soon as possible."
Explaining why the company took three months to notify customers about their bank details being leaked, they said: "Investigations like this are very complex and it takes time to understand what happened and then to analyse the data that could have been impacted.
"As soon as we were aware that we needed to notify our customers in compliance with our legal obligations, we began to do so."
Customers have been offered the credit programme True Identity free for a year which will alert them if anyone attempts to use their details fraudulently.
South Staffs Water customer Leslie Burkwood branded the letter she received about the fraud as "gobbledy-gook".
She said: "South Staffs Water sent a six-page incomprehensible letter full of scary gobbledy-gook on the outcome and what their customers should do to protect their personal banking information.
"The implication is that false direct debit mandates could be fraudulently set up on the customer accounts where they have set up their direct debit mandates to pay their water bills."
Leslie was forced to visit her local Santander branch about the matter.
For more information about the consequences of the cyber-attack visit https://www.south-staffs-water.co.uk/help-and-advice.