Southern Water customer data was taken in ransomware attack

Date:

Dmitry Naumov – stock.adobe.com

Southern Water has started to contact customers whose data was stolen in a January 2024 ransomware attack on its systems

Alex Scroxton

By

  • Alex Scroxton,
    Security Editor

Published: 14 Feb 2024 14:20

UK utility Southern Water has confirmed that the personal data of a number of its customers was stolen by the ransomware gang that attacked its systems in January 2024.

The cyber attack on Southern Water was claimed by the Black Basta crew, which posted details of the incident to its dark web leak site on 22 January, giving the utility until 29 February to respond.

Whether or not Southern Water has engaged with its attacker remains unknown, the organisation said it had now found that data from a “limited part” of its server estate had been stolen.

According to the BBC, which obtained a copy of the email notification, the data stolen includes customer names, birthdates, National Insurance numbers, bank account details, and customer reference numbers.

A Southern Water spokesperson said: “We are very sorry that this has happened. We continue to work with our expert technical advisers to confirm whose data is at risk. Our initial assessment is that this is the case for some of our customers and current and former employees.”

The spokesperson said that its cyber support partners had to date found no evidence that the stolen data has been published online, but nevertheless, as per its legal and regulatory obligations, it has now begun the process of informing customers who may be at risk. It has also notified the Information Commissioner’s Office (ICO).

“Based on our forensic investigations so far, which are ongoing, we are notifying in the order of 5% to 10% of our customer base to let them know that their personal data has been impacted. We are also notifying all of our current employees and some former employees,” they said.

Included in these notifications is further cyber advice and guidance, and details of a support package, including free-of-charge credit monitoring through Experian.

Good practice

Javvad Malik, lead security awareness advocate at KnowBe4, said Southern Water’s response set a good example of best practice for others to follow.

“The fact that they’ve initiated steps such as notifying affected individuals and collaborating with government and regulatory bodies showcases an adherence to best practices in incident response,” said Malik.

“However, the response does not stop there. The threat of the stolen data being weaponised to use against employees, customers, and third parties remains high, so people should be provided clear instructions and make it easy for them to implement it to better safeguard themselves in the future.”

Lucky escape?

The UK authorities, and their counterparts in the US, are highly alarmed by the prospect of cyber attacks against operators of critical national infrastructure (CNI), which includes utilities such as Southern Water.

Such organisations are valuable targets for both financially motivated attackers such as ransomware gangs, which know they hold vast stores of useful data and are incentivised to pay to avoid service disruption, and state-sponsored attackers, which can leverage the disruption in the service of their governments’ goals.

The nightmare scenario in such an attack would be disruption to water supplies, or an incident in which the chemical content of water was altered to cause harm.

Such attacks do happen. A December 2023 attack on a small supplier in Ireland cut off services to multiple customers; while an attack on a Florida facility in February 2021 came close to poisoning a small town by increasing the lye (sodium hydroxide) content of the water supply, but this was averted by an eagle-eyed plant worker.

As such, Southern Water may have had a relatively lucky escape, as Black Basta’s goal seems to have been data theft and extortion, as Ryan McConechy, chief technology officer at Barrier Networks, observed.

“This attack against Southern Water demonstrated how vulnerable critical national infrastructure is to hacking today. Fortunately, in this case it was only data that was compromised, had the attackers gained access to the operational controls running the utility, the outcome could have been very different,” he said. 

“But this doesn’t make light of the situation because criminals now have access to sensitive customer data, which exposes them to both financial and identity fraud.”

Read more on Data breach incident management and recovery

  • NCSC warns CNI operators over ‘living-off-the-land’ attacks

    AlexScroxton

    By: Alex Scroxton

  • How Iranian cyber ops pivoted to target Israel after 7 October attacks

    AlexScroxton

    By: Alex Scroxton

  • US sanctions Iranians behind CNI cyber attacks

    AlexScroxton

    By: Alex Scroxton

  • US government disrupts Chinese botnet containing hundreds of end-of-life Cisco and Netgear routers

    CarolineDonnelly

    By: Caroline Donnelly

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Share post:

Subscribe

Popular

More like this
Related

Discord’s new feature feels a lot like spying. Here’s how to disable it

Image: Discord Discord started off as just a chatroom with...

Malwarebytes Premium Security review: An antimalware staple is now optional

Skip to content Image: Alaina Yee / Foundry At a glanceExpert's...

Only one day left to get this $18 tool that could help you avoid missing project deadlines

Skip to content Image: StackCommerce TL;DR: Microsoft’s leading project management software,...

The original Unreal is free online, Epic Games says it’s fine

Image: Epic Games Game preservation, or lack thereof, is a...