Southern Water, a major UK water supplier, has officially confirmed a recent ransomware attack resulting in unauthorized access to personal data belonging to both customers and employees. The company disclosed plans to notify approximately 5-10% of its customer base, equating to potentially between 230,000 and 460,000 individuals out of its 4.6 million customers in Southern England.
According to a statement released on February 13, 2024, the utility provider stated that all current employees and some former employees would also receive notifications regarding potential data exposure. These notifications will include guidance on mitigating risks and precautions against potential phishing attacks and identity theft threats.
The breach was initially disclosed on January 23 following the apparent leak of personal data by the Black Basta ransomware group. Southern Water confirmed that while a limited amount of data had been published, its operations and services remained unaffected. An investigation with technical experts revealed that data from a specific part of the company’s server estate was compromised.
Southern Water has engaged independent cybersecurity experts to monitor the dark web for any signs of leaked information. The company emphasized its ongoing collaboration with government agencies, regulators, law enforcement, and incident response experts to investigate the incident thoroughly.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commended Southern Water’s transparency and response efforts, highlighting the persistent threat posed by cybercriminals to critical infrastructure organizations.
In response to the incident, Southern Water assured impacted customers of the legitimacy of emails notifying them of the breach and offering free identity and credit checks. Rebecca Moody, Head of Data Research at Comparitech, noted that the estimated impact on 5-10% of Southern Water’s customer base would rank among the largest data breaches in the utilities sector globally since 2018.
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, advised affected customers and employees to remain vigilant against potential phishing attempts and to utilize credit monitoring services offered by Southern Water.
However, the full extent of the breach’s impact is yet to be determined. Harman Singh, Managing Consultant and Director at Cyphere, pointed out that Southern Water’s initial inability to ascertain whether data was taken from its networks revealed gaps in event monitoring and analysis capabilities. The involvement of double extortion tactics by the attackers further complicates the situation, raising concerns about potential future data leaks.
