South Staffs Water customer data leaked after ransomware attack

Personal data of water utility’s direct debit customers exposed on the dark web following a Clop ransomware attack

Utility South Staffordshire Water has been forced to apologise to customers after bank details stolen in a Clop (aka Cl0p) ransomware attack on its systems were leaked on the dark web.

The firm – which is operated by a parent company that also oversees Cambridge Water – has been working alongside forensic security experts on the investigation and said it has now discovered that although water supply was unaffected, the ransomware operatives did manage to access personal data.

In a letter sent to affected customers, South Staffs Water said data related to customers who pay their bills via direct debit had been compromised. It included names and addresses, bank details including sort codes and account numbers, and may include other personal data.

The firm has now put in place a support package including a telephone helpline, and free access to a credit monitoring service, for those affected.

The company said customers who have not received a letter do not need to take action at this stage, but it is understood that the investigation is ongoing and it may be the case that other customers were affected.

“Consumers can have complete confidence that the water we supply is safe,” said South Staffs Water managing director Andy Willicott.

“We understand that customers trust us to keep their data safe and I’d personally like to say sorry to all those customers impacted – we’ll be doing what we can to support you through this. We will continue to invest in protecting our customers, our systems and our data.”

Customers speaking to the Birmingham Mail told of their frustration at South Staffs Water’s response to the incident, accusing Willicott of trying to minimise the issue, and engaging in reckless behaviour.

Read more about ransomware

The ransomware attack took place in August 2022 and was executed in somewhat botched style by the Clop cartel, which seemed to be under the impression that it was attacking and extorting Thames Water, which somewhat confused matters for a time.

In statements posted to the dark web in August, a Clop operative railed against the gang’s supposed victim, accusing it of malpractice and encouraging customers to mount a class action lawsuit against it. The operative also accused Thames Water of failing to respond to its ransom demands, which was not surprising given that it had not actually been attacked.

Erfan Shadabi, cyber security expert at comforte AG commented: “Breaches like the one affecting South Staffs Water, which has exposed the PII [personally identifiable information] of many customers, unfortunately, happen all too often, but the alarming thing is that they are happening with ever-greater frequency across all industries. Why? This data is so valuable to threat actors for the reasons stated above.

“The sobering reality is that these breaches don’t necessarily have to happen. Any business that collects PII needs to understand that they are high-profile targets and assume that a cyber attack is imminent.

“IT leaders need to rethink their data security posture, strengthen outdated traditional controls such as border security with next-generation capabilities and, most importantly, protect the very data itself that threat actors are after. Data-centric security, such as tokenisation, can convert sensitive data to innocuous and incomprehensible information that hackers simply can’t use or compromise, even if they get direct access to it.”

Read more on Hackers and cybercrime prevention