Southern Water is contacting customers to warn their personal data may be at risk following a cyberattack.
The attack came to light on February 12 and since then the company has worked with technical advisers to confirm whose data is at risk.
A statement from the company said: “Our initial assessment is that this is the case for some of our customers and current and former employees.
“We take data protection and information security very seriously and, in accordance with our regulatory obligations, we are making contact with anyone whose personal data may be at risk.
“Based on our forensic investigations so far, which are on-going, we are notifying in the order of five to 10% of our customer base to let them know that their personal data has been impacted. We are also notifying all of our current employees and some former employees.”
The company added: “Since the incident, our IT security teams have worked with independent incident response experts, using enhanced monitoring and protection tools to check actively for any suspicious activity on our IT estate. Southern Water’s operations and services to customers have not been impacted.”
Industry experts have been giving their views on the attack:
Rick Jones, CEO DigitalXRaid, said: “The recent ransomware attack on Southern Water echoes the urgency for organisations that form part of the critical national infrastructure (CNI) to proactively defend against unseen security breaches. The growing sophistication of attackers means that they are adept at spotting the security gaps that most complex organisations cannot, and their objective is not always financial. But, with millions of customers and an extremely low threshold for downtime, utilities providers are an attractive target for ransomware groups.
“Achieving full visibility across networks is the key to identifying suspicious activity. For critical organisations in particular, a proactive cybersecurity strategy is not just a recommendation but a necessity. Any breach of a nation-critical organisation poses a huge security risk – these organisations need to prioritise swift detection to minimise the window of opportunity for bad actors seeking sensitive data.
“Southern Water’s quick response to the attack and onboarding of cyber professionals is a great example of how CNI organisations should mitigate attacks when they occur.”
Darren Guccione, CEO and Co-Founder, Keeper Security, said: “Critical infrastructure, including water and wastewater management organisations like Southern Water, continue to be a prime target for cybercriminals. These critically important systems often lack basic cybersecurity protections because they were not originally designed to be online, and only transitioned online later for convenience. Protecting critical infrastructure from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating. The impacts can range from the theft of sensitive customer data, as in this case, to the disruption of basic utilities and services that people rely on.
“In cases where personal information is stolen, threats from a data breach persist even after it’s been discovered and contained. It is imperative for current and former employees and customers of Southern Water to take proactive steps to protect themselves from cybercriminals who aim to use their personal information for identity theft and targeted attacks.”
Erfan Shadabi, Cybersecurity Expert at comforte AG, said: “Sometimes it takes a security incident hitting an unexpected target to drive home the importance of data security! It might come as a surprise to some that a water services company was targeted, but we should remember that any organisation that holds sensitive information – and that includes the vast majority of businesses, enterprises, or other organisations – is one that should anticipate a cyberattack at any time, because threat actors can use that sensitive information as leverage to induce ransom payments.
“Your data is their target and data security should always be a top priority. To do this successfully and to mitigate the severity and fallout of these attacks, leverage data-centric security methods such as tokenisation or format-preserving encryption. Tokenisation, for example, can replace sensitive information with representational tokens that are indecipherable, though the tokenised information still retains the original data format. Threat actors might get their hands on it, but if they can’t understand it then they can’t use it as leverage.”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said: “While Southern Water’s prompt acknowledgment of the breach and their engagement with cybersecurity experts to monitor potential data leaks is commendable, it highlights the persistent threat that cybercriminals pose to organisations, particularly ones in critical infrastructure.
“The fact that they’ve initiated steps such as notifying affected individuals and collaborating with government and regulatory bodies showcases an adherence to best practices in incident response. However, this incident serves as a stark reminder of the importance of proactive cybersecurity measures. Organisations must not only invest in sophisticated security infrastructure but also in educating their employees, partners, and customers about potential cybersecurity threats. Regular security assessments and training can significantly mitigate the risk of such breaches.
“However, the response does not stop there. The threat of the stolen data being weaponised to use against employees, customers and third parties remains high, so people should be provided clear instructions and make it easy for them to implement it to better safeguard themselves in the future.”