Southern Water cyberattack expected to hit hundreds of thousands of customers

UK utilities giant Southern Water admits between 5 and 10 percent of its customers have had their data stolen during a January cyberattack.

This is on top of the undisclosed proportion of current and former staff that are also said to be affected. The company, which provides water and wastewater services to millions of households, will be writing to those whose data was stolen directly in the coming days.

The announcement comes just shy of four weeks after Reg readers were first to know about the intrusion, which was claimed by the Black Basta ransomware group.

It should be said that Southern Water still hasn’t confirmed ransomware was involved in the incident.

However, it was fairly evident from the outset that both staff and customers were affected by the data breach. In typical Black Basta fashion, it dumped a plethora of the data it stole online, including identity documents and HR files, among others.

The information revealed in this initial data dump was enough to verify through simple means that the documents were genuine and implicated both customers and employees.

In a letter sent to customers already, seen by El Reg, Southern Water said names, dates of birth, national insurance numbers, bank account numbers, sort codes, and payment reference numbers may have been stolen. This data was all visible online from the beginning.

It’s understood that customers will be sent different versions of the letter depending on the data believed to be stolen. Affected individuals have also been offered a free 12-month Experian Identity Plus membership for credit monitoring.

Per the utility company’s website, it provides water services to 2.5 million customers and wastewater services to more than 4.7 million customers. It means that if the quoted 5 percent to 10 percent range is accurate, then hundreds of thousands of customers will potentially be receiving letters from the company soon, informing them that their data was stolen.

Offering some comfort, Southern Water’s latest statement confirmed that the third-party investigators called in to analyze the incident found no new evidence that data was further published online.

“We are very sorry that this has happened,” the company said.

“Throughout this process we have been working with Government, our regulators, and the National Cyber Security Centre. We have also notified the police and the Information Commissioner’s Office.

“Since the incident, our IT security teams have worked with independent incident response experts, using enhanced monitoring and protection tools to check actively for any suspicious activity on our IT estate. Southern Water’s operations and services to customers have not been impacted.

“Further updates will be posted on our website and social media channels as we know more. Please be assured that if at any point we have reason to believe your data may be impacted, we will notify you, in line with our regulatory obligations.”

At the time of writing, Black Basta appears to have removed its post about Southern Water from its leak blog.

Usually this is only done when a victim pays a ransom. We asked Southern Water about this but it declined to comment.

Critical infrastructure has long been a target for ransomware groups given the severe disruption to civil society an outage could potentially cause.

The water and wastewater sectors have become an increasingly targeted subset of these critical organizations over the past year, an observation that prompted national cybersecurity agencies such as CISA and the UK NCSC to publish advisories highlighting the ongoing threat.

One of the most serious examples recently came in November when a Pennsylvania water authority was attacked by Cyber Aveng3rs, a group experts believe to be Iran-aligned attackers. 

Programmable logic controllers were targeted and displayed anti-Israel messaging, which also explained that compromising Israel-manufactured technology would be an ongoing goal for the group.

Now-shuttered Conti also semi-mistakenly claimed an attack on Thames Water in 2022, but actually breached South Staffordshire – parent company of South Staffs Water and Cambridge Water. ®

READ MORE HERE