Southern Water confirms customer data breach
Stems from Black Basta attack last month
Southern Water, which provides water and wastewater services across Kent, Sussex, Hampshire and the Isle of Wight, has confirmed that data from a "limited portion" of its server infrastructure was compromised in a cyberattack last month.
The company said it had been monitoring suspicious activities in its IT infrastructure since the attack.
Personal information and financial data belonging to an estimated 5-10% of its customers has been stolen in the breach, and there are now fears that it could be traded on the dark web.
"Based on our ongoing forensic investigations, we anticipate reaching out to approximately 5 to 10% of our customer base to inform them of the impact on their personal data," Southern Water stated.
Southern Water provides water to 2.5 million customers, and wastewater services to around 4.7 million.
Despite the breach, Southern Water has assured customers that essential services and water supplies remained unaffected.
The Black Basta ransomware group claimed responsibility for the attack last month. It shared a snippet of the stolen data, which included sensitive information such as scans of identity documents like passports and driving licenses; HR-related documents containing personal data of potentially both customers and employees; and corporate car-leasing documents disclosing personal details.
Black Basta said it had stolen 750 GB of data in total, threatening to expose all of it if Southern Water failed to pay a ransom within six days.
In an email to customers, Southern Water said the compromised data may include customers' names, dates of birth, national insurance numbers, bank account details and reference numbers.
The company is now notifying current and former employees about the breach. It shared its regret over the incident and has assured customers of its efforts to mitigate the fallout.
The water supplier has notified regulatory bodies and brought cyber professionals in to contain the breach and up its own digital defences.
"We have engaged leading independent cybersecurity experts to monitor the 'dark web'. We take data protection and information security very seriously and, in accordance with our regulatory obligations, we are making contact with anyone whose personal data may be at risk."
The ICO has confirmed receipt of a report regarding the incident and pledged to conduct a thorough investigation.
Recent advisories from authorities like the US Cybersecurity and Infrastructure Security Agency and the UK National Cyber Security Centre highlight the vulnerability of critical infrastructure to cyberattacks.
The attack on Southern Water follows a pattern of similar incidents targeting water organisations globally.
In 2022, the now-disbanded ransomware group Clop claimed responsibility for an attack on Thames Water.
However, instead of targeting Thames Water, the group inadvertently breached South Staffordshire, the parent company of South Staffs Water and Cambridge Water.