UK water giant admits attackers broke into system as gang holds it to ransom

Comes mere months after Western intelligence agencies warned of attacks on water providers

Southern Water confirmed this morning that criminals broke into its IT systems, making off with a "limited amount of data."

The Black Basta ransomware group claimed the attack while publishing a snippet of the data it allegedly stole, which included:

  • Scans of identity documents such as passports and driving licenses

  • Documents that appear to be HR-related, displaying the personal data of what could be customers, including home address, office address, dates of birth, nationalities, and email addresses

  • Corporate car-leasing documents exposing personal data

Southern Water provides water services to 2.5 million customers and wastewater services to 4.7 million customers in the southern regions of the England. The company said in a statement that if it finds evidence of customer or employee data being stolen, it will notify the affected individuals.

Inputting some of the details leaked on the cybercriminals' blog into a search engine suggests the details of both Southern Water employees and customers may be compromised.

"We are aware of a claim by cyber criminals that data has been stolen from some of our IT systems," the organization said.

"We had previously detected suspicious activity, and had launched an investigation, led by independent cyber security specialists.

"Since then, a limited amount of data has been published. However, at this point, there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally."

The UK government, regulators, and the Information Commissioner's Office (ICO) have been informed, it went on to say.

It's unclear where the root cause of the breach lies. Some documents leaked online are branded with Greensands logos – the parent company of Southern Water.

Black Basta said it stole 750 GB worth of data in total, comprised of personal data and corporate documents, which is consistent with the small sample leaked online.

The gang said a full exposure of data will take place in six days if a ransom isn't paid.

The water and wastewater industry has become an increasingly popular target for cybercriminals over the past year, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to prioritize engagement with it to the same degree as the healthcare and education sectors.

"To support and reinforce EPA's ongoing efforts, CISA is prioritizing the water sector in its engagements and efforts due to the significant level of cyber and physical risk associated with this sector combined with its relative lack of resources to address those risks," reads the agency's dedicated page for the water industry.

Iranian attackers are thought to be behind an attack on a Pennsylvania water authority in November 2023 after compromising Unitronics programmable logic controllers.

Attacks on Western critical infrastructure have been an acute concern for cybersecurity authorities in recent years, and the UK National Cyber Security Centre (NCSC) has recently issued an advisory highlighting the threat to critical infrastructure, including water organizations.

In 2022, now-dismantled ransomware crew Clop claimed an attack on Thames Water but the silly skids instead breached South Staffordshire – parent company to South Staffs Water and Cambridge Water. ®

More about


Send us news

Other stories you might like