Southern Water customer data was taken in ransomware attack

Dmitry Naumov – stock.adobe.com

Southern Water has started to contact customers whose data was stolen in a January 2024 ransomware attack on its systems

Alex Scroxton,
Security Editor

Published: 14 Feb 2024 14:20

UK utility Southern Water has confirmed that the personal data of a number of its customers was stolen by the ransomware gang that attacked its systems in January 2024.

The cyber attack on Southern Water was claimed by the Black Basta crew, which posted details of the incident to its dark web leak site on 22 January, giving the utility until 29 February to respond.

Whether or not Southern Water has engaged with its attacker remains unknown, the organisation said it had now found that data from a “limited part” of its server estate had been stolen.

According to the BBC, which obtained a copy of the email notification, the data stolen includes customer names, birthdates, National Insurance numbers, bank account details, and customer reference numbers.

A Southern Water spokesperson said: “We are very sorry that this has happened. We continue to work with our expert technical advisers to confirm whose data is at risk. Our initial assessment is that this is the case for some of our customers and current and former employees.”

The spokesperson said that its cyber support partners had to date found no evidence that the stolen data has been published online, but nevertheless, as per its legal and regulatory obligations, it has now begun the process of informing customers who may be at risk. It has also notified the Information Commissioner’s Office (ICO).

“Based on our forensic investigations so far, which are ongoing, we are notifying in the order of 5% to 10% of our customer base to let them know that their personal data has been impacted. We are also notifying all of our current employees and some former employees,” they said.

Included in these notifications is further cyber advice and guidance, and details of a support package, including free-of-charge credit monitoring through Experian.

Good practice

Javvad Malik, lead security awareness advocate at KnowBe4, said Southern Water’s response set a good example of best practice for others to follow.

“The fact that they’ve initiated steps such as notifying affected individuals and collaborating with government and regulatory bodies showcases an adherence to best practices in incident response,” said Malik.

“However, the response does not stop there. The threat of the stolen data being weaponised to use against employees, customers, and third parties remains high, so people should be provided clear instructions and make it easy for them to implement it to better safeguard themselves in the future.”

Lucky escape?

The UK authorities, and their counterparts in the US, are highly alarmed by the prospect of cyber attacks against operators of critical national infrastructure (CNI), which includes utilities such as Southern Water.

Such organisations are valuable targets for both financially motivated attackers such as ransomware gangs, which know they hold vast stores of useful data and are incentivised to pay to avoid service disruption, and state-sponsored attackers, which can leverage the disruption in the service of their governments’ goals.

The nightmare scenario in such an attack would be disruption to water supplies, or an incident in which the chemical content of water was altered to cause harm.

Such attacks do happen. A December 2023 attack on a small supplier in Ireland cut off services to multiple customers; while an attack on a Florida facility in February 2021 came close to poisoning a small town by increasing the lye (sodium hydroxide) content of the water supply, but this was averted by an eagle-eyed plant worker.

As such, Southern Water may have had a relatively lucky escape, as Black Basta’s goal seems to have been data theft and extortion, as Ryan McConechy, chief technology officer at Barrier Networks, observed.

“This attack against Southern Water demonstrated how vulnerable critical national infrastructure is to hacking today. Fortunately, in this case it was only data that was compromised, had the attackers gained access to the operational controls running the utility, the outcome could have been very different,” he said.

“But this doesn’t make light of the situation because criminals now have access to sensitive customer data, which exposes them to both financial and identity fraud.”

Read more on Data breach incident management and recovery

NCSC warns CNI operators over ‘living-off-the-land’ attacks