Brian Sims
Editor
Brian Sims
Editor
SOUTHERN WATER – the utilities business providing vital water supplies for circa 2.5 million customers in Kent, Sussex, Hampshire and the Isle of Wight – has become the victim of a substantial cyber attack in which between 5% and 10% of customers’ personal details and financial information, in addition to data belonging to current and former employees, may have been stolen for potential sale on The Dark Web.
On 23 January, the company had issued a statement on its website referencing a claim by active cyber criminals that data had been appropriated from some of its IT systems. Suspicious activity had been detected and Southern Water subsequently launched an immediate investigation, which was led by independent cyber security specialists.
A limited amount of personal data was then published. At that juncture, there was no evidence to suggest that customer relationships or financial systems had been affected. Services were not impacted in any way and the business was operating normally.
Nonetheless, Southern Water duly informed the Government, relevant regulators and the Information Commissioner’s Office and, in tandem, closely followed the advice of the National Cyber Security Centre as part of the investigation process.
Illegal intrusion
On 12 February, Southern Water affirmed that data from “a limited part” of its server estate had been stolen and was at risk following an “illegal intrusion” into the company’s IT systems.
Data including names, dates of birth, National Insurance numbers, bank account details and reference numbers could have been stolen in the attack.
The Black Basta ransomware group claimed responsibility for the episode. The cyber extortion gang, which is suspected of being an off-shoot of the Russian Conti group of cyber hackers, claimed it had stolen 750 GB of data in total, threatening to expose all of it if Southern Water failed to pay a ransom.
Southern Water has commented: “We are very sorry that this has happened. We continue to work with our expert technical advisors to confirm precisely whose data is at risk. Our initial assessment is that this is the case for some of our customers, as well as current and former employees.”
The company statement continues: “We have engaged leading independent cyber security experts to monitor The Dark Web. They continue to report to us that, since we were named on the cyber criminals’ site on 22 January, they have found no new evidence of the data potentially involved in this cyber incident being published online. They will continue to carry out their checks for as long as is necessary.”
Further, Southern Water said: “We take data protection and information security very seriously indeed and, in accordance with our regulatory obligations, we are making contact with anyone whose personal data may be at risk.”
Nature of notifications
Those customers, current employees and some former employees potentially affected have received notifications including security advice, as well as guidance on recommended precautionary steps and details of the support on offer from Southern Water.
The latter includes enhanced Experian credit monitoring, free of charge, for the next 12 months. This particular service provides active monitoring, which can detect and help to prevent the fraudulent misuse of personal information.
Since the incident occurred, Southern Water’s IT security teams have worked with independent incident response experts, using enhanced monitoring and protection tools to check actively for any suspicious activity on the company’s IT estate.
Further updates will be posted on the Southern Water website at www.southernwater.co.uk and via recognised social media channels.
Comment from the security sector
Rick Jones, CEO of DigitalXRaid, observed: “The recent ransomware attack on Southern Water echoes the urgency for organisations that form part of the Critical National Infrastructure (CNI) to proactively defend against unseen security breaches. The growing sophistication of attackers means that they’re adept at spotting the security gaps that most complex organisations cannot. Their objective are not always financial in nature. With millions of customers on their books and an extremely low threshold for downtime, utilities providers are an attractive target for ransomware groups.”
Jones continued: “Achieving full visibility across networks is the key to identifying suspicious activity. For critical organisations in particular, a proactive cyber security strategy is not just a recommendation, but rather a necessity. Any breach of a nation-critical organisation poses a huge security risk. Such organisations need to prioritise swift detection in order to minimise the window of opportunity for bad actors seeking sensitive data.”
On a positive note, Jones concluded: “Southern Water’s quick response to the attack and on-boarding of cyber professionals is a great example of how CNI organisations should mitigate attacks when they do occur. Taking proactive steps such as running tabletop exercises, implementing a strong incident recovery strategy and deploying a Secure Operations Centre service, complete with 24/7/365 threat monitoring and detection, adds a vital extra layer of security. This then serves to improve identification and response times in the face of today’s evolving cyber threats.”
