Southern Water has confirmed that personal data of both customers and employees has been accessed in a recent ransomware attack.
The UK water supplier revealed that it plans to notify 5-10% of its customer base to inform them that their personal information has been impacted. With the firm serving around 4.6 million customers in Southern England, this could equate to between 230,000 and 460,000 people.
In addition, all current employees and some former employees will be notified that their personal data may have been accessed, the company said in a post on February 13, 2024.
These notifications will offer advice and guidance on the potential risks to those affected, and precautionary steps on how to mitigate them. This is likely to warn of the potential threat of phishing attacks and identity theft that may occur if the stolen data is used by threat actors.
Data Leaked by Black Basta
Southern first revealed it had suffered a data breach on January 23. This followed the apparent leak of personal data held by the firm by the Black Basta ransomware group.
The utilities company confirmed at the time that “a limited amount of data has been published.”
However, the firm’s operations and services to customers were not impacted.
Following an investigation with expert technical advisors, Southern said that data from a limited part of its server estate was stolen in the attack.
There is currently no new evidence of the stolen data being published online. Southern has engaged independent cybersecurity experts to continue monitor the dark web for signs that the information has been leaked.
“They will continue to carry out their checks for as long as is necessary,” the company stated.
Southern added that it is continuing to work with the government, regulators, law enforcement and incident response experts to investigate the incident and discover any more suspicious activity on its IT estate.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, praised Southern’s transparency and adherence to incident response best practices.
“While Southern Water's prompt acknowledgment of the breach and their engagement with cybersecurity experts to monitor potential data leaks is commendable, it highlights the persistent threat that cybercriminals pose to organizations, particularly ones in critical infrastructure,” he observed.
Ransomware incident response requires clear plans and processes internally, in addition to outside help that can quickly be called upon.
Sarah Pearce, Partner at law firm Hunton Andrews Kurth, told Infosecurity: "Highly skilled and seasoned lawyers, forensic experts and ransomware specialists, who engage and negotiate with the attackers, work closely together and all play an equally important role in the aftermath of an attack so it is important to have relevant advisers lined up in advance. Being prepared and knowing what to do, who to call etc. is vital.”
Southern Informs Impacted Customers
Several Southern customers contacted the firm on X (formerly Twitter) to check the validity of emails they received from the firm confirming their data was affected.
The screenshotted emails said the data accessed may include customers’ basic personal details for administering accounts and identifying them.
The company also appeared to offer impacted customers free identity and credit checks. Southern confirmed these emails were legitimate.
Rebecca Moody, Head of Data Research at Comparitech, told Infosecurity that Southern Water’s estimate that 5-10% of its customer base were impacted by the attack would make it one of the largest data breaches on a utilities company globally since 2018.
It will join Australia's Optus which was hit in September 2022 and affected 9.8 million customers. Satellite television company Dish Network was targeted in February 2023 and the data breach affected nearly 297,000 customers.
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, said that all customers and current and former employees should act under the assumption that their data has been accessed, and stay alert for targeted phishing attempts using the personal information.
“Customers and employees should take advantage of any credit monitoring offered by Southern Water and should also be sure to keep a close watch on all of their accounts, while also being alert for any newly opened accounts,” he advised.
Incident Set to Run
The scale of the damage caused by the incident is likely not yet realized. Harman Singh, Managing Consultant and Director at Cyphere, told Infosecurity that the fact Southern was initially unable to determine whether any data was taken from its networks indicates a lack of event monitoring and analysis capabilities.
"Whether its people, process or tech or all of these areas, this can only be known upon more details," he noted.
Singh added that Black Basta's usual tactics involved double extortion - both encrypting data and threatening to publish it online. It is currently unclear whether the attacker was able to successfully encrypt the stolen information, and if more will be leaked online in the coming weeks and months.