Dmitry Naumov - stock.adobe.com

South Staffs Water faces group action over Clop ransomware attack

South Staffordshire Plc, the parent company of South Staffordshire and Cambridge Water, is facing legal action from customers whose data was compromised in a 2022 Clop ransomware attack

Close to 1,000 people have now signed up to an ongoing class action claim against South Staffordshire Plc after their data was stolen and leaked by the Clop/Cl0p ransomware crew.

South Staffordshire Plc – which is the parent of South Staffordshire Water and Cambridge Water – served 1.6 million customers in the Midlands when Clop targeted its systems in August 2022.

The cyber attack on its systems became infamous at the time because Clop mistakenly claimed it had attacked the systems of Thames Water, which serves customers in Greater London and other parts of south-east England.

The bumbling cyber criminals posted a lengthy screed against Thames Water, railing against its alleged cyber malpractice and encouraging consumers to band together to sue it.

Two-and-a-half years on, Manchester-based Barings Law is moving forward with legal action over the breach, for which South Staffs recently accepted liability.

Barings said its claimants saw personal information leaked on the dark web, including their names, addresses, bank sort codes and account numbers used for direct debit payments and bank transfers. It alleges that South Staffs failed in its duty to protect the personal data of its customers.

“This cyber attack has exposed a significant number of individuals to potential risks and damages,” said Adnan Malik, head of data breach at Barings Law.

“Our clients are seeking not only financial compensation, but also accountability from South Staffs Water for the lapses in data protection.

“We are regularly fielding enquiries from the public who are concerned they may have been victims of this terrible incident.

“This data breach is a serious infringement of privacy rights, and we will robustly pursue justice on behalf of the claimants to ensure that they receive fair compensation for the potential repercussions of this breach.

“Barings Law remains committed to championing the rights of those affected and holding accountable any entity that neglects its responsibility to protect sensitive data,” he said.

Computer Weekly contacted South Staffordshire Plc, but the organisation had not responded to our query at press time.

Founded in 2009, Barings is emerging as a specialist in similar group claims over cyber attacks in which personally identifiable information (PII) was stolen and leaked.

In the past 12 months, it has progressed notable actions against Capita and Carphone Warehouse.

The Capita action relates to two 2023 events that affected the data of ordinary people – the first, a ransomware attack that impacted several pension funds; the other, an accidental leak of data held in an unsecured Amazon Web Services (AWS) S3 storage bucket. As of mid-January 2024, more than 5,000 people had signed up to participate.

Capita has rejected the validity of this claim, saying there is “no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity”.

The Carphone Warehouse action relates to an infamous 2015 breach that affected more than two million people. Over 2,000 people are currently participating in the claim, which Carphone Warehouse parent Currys continues to defend.

Read more about the South Staffordshire incident

Read more on Data breach incident management and recovery