UK water supplier Southern Water has confirmed that it suffered a data breach after the Black Basta ransomware group appeared to leak customer data held by the firm.
The utilities company, which serves around 4.6 million customers across Southern England, admitted in a post on January 23, 2024, that “a limited amount of data has been published.”
“We are aware of a claim by cybercriminals that data has been stolen from some of our IT systems. We had previously detected suspicious activity, and had launched an investigation, led by independent cybersecurity specialists,” the notice read.
The company emphasized that its usual services have not been impacted by the incident.
Black Basta had earlier claimed to have successfully attacked Southern Water, and published a small sample of the data it allegedly stole on its Tor leak site.
This information included:
- Scans of identity documents such as passports and driving licenses
- Documents that appear to be HR-related, displaying the personal data of what could be customers, including home address, office address, dates of birth, nationalities, and email addresses
- Corporate car-leasing documents exposing personal data
Black Basta has threatened to release the rest of the data it claims to hold by February 29 unless its ransom demand is paid.
Southern Water Continues to Investigate the Breach
Southern stated in its post that it has informed the UK government and relevant regulators, such as the Information Commissioner’s Office (ICO) about the incident.
It is continuing its investigation, in line with guidance from the National Cyber Security Centre (NCSC).
“If, through the investigation, we establish that customers' or employees' data has been stolen, we will ensure they are notified, in accordance with our obligations,” the firm wrote.
In a response to a question about the breach on Southern Water’s X (formerly Twitter) account, a spokesperson for Southern wrote that there was no evidence that the firm’s customer relationships or financial systems have been affected.
Hi Gary,
— Southern Water (@SouthernWater) January 24, 2024
At this point there is no evidence that our customer relationships or financial systems have been affected. If, through the investigation, we establish that customer data has been stolen, we will notify customers directly.
Kind regards
Lara
Commenting on the incident, Jamie Akhtar, Co-Founder and CEO at CyberSmart said there are indications that the breach could have been the result of a supply chain attack.
He noted that some of the leaked documents are branded with Greensands logos, who are the parent company of Southern Water.
“This suggests that the breach could have happened through any number of Southern Water’s subsidiaries or suppliers,” said Akhtar.
Who is Black Basta?
The Russian-speaking Black Basta group has been one of the most prolific ransomware actors in recent years. An analysis published in November 2023 by Corvus Insurance found that the gang has made over $100m from ransomware attacks since April 2022.
Research in 2022 by eSentire found after the Conti group shut down, many of their affiliates moved their operation into other Russian-linked ransomware brands, including Black Basta, and continued to targeted critical infrastructure in Western nations.
Some good news emerged in January 2024, when German-based security researchers published a new suite of tools able to decrypt some Black Basta ransomware variants, allowing many victims to recover their files.
Water Companies Facing Growing Cyber-Threats
On January 19, 2024, the North America subsidiary of Veolia Water reported it had experienced a ransomware incident, which “affected some software applications and systems.”
The firm said it had contacted a limited number of individuals whose personal information was potentially accessed by the attackers, and is conducting an investigation into the incident.
Veolia added that some customers experienced delays in paying bills online due to the targeted back-end systems and servers being temporarily taken offline.
However, it said the attack appears to have been confined to its internal back-end systems and there was no evidence to suggest it affected Veolia’s water or wastewater treatment operations.
The attacks on Southern and Veolia follow a number of recent warnings about rising cyber-threats to the water sector. In December 2023, the UK’s NCSC urged the nation’s water sector to apply best practice security measures amid increasing targeting of critical infrastructure.
In the same month, the US’ Cybersecurity and Infrastructure Security Agency (CISA) said Iran’s Islamic Revolutionary Guard Corps (IRGC) was behind a series of strikes against water plants in the country.
The US government published a new incident response guide for the water and wastewater systems sector on January 18, 2024.
While neither of the recent attacks appear to have impacted water services, Nick Tausek, Lead Security Automation Architect at Swimlane, said they highlight the urgent need for water firms to modernize their cybersecurity practices.
“The guidelines published by the Environmental Protection Agency (EPA) in collaboration with the FBI and CISA highlighted the need for a preventative security approach to be implemented to combat the vulnerability of this critical infrastructure sector.
“The timing of this attack reiterates this vulnerability. These organizations must be taking the necessary precautions to not only safeguard the sensitive information of customers but also the system operations and water safety,” said Tausek.
Geoffrey Mattson, CEO of Xage Security said that sectors like water are particularly vulnerable to cyber-attacks due to the use legacy operational technology (OT) systems that have limited cybersecurity capabilities built in.
“Critical infrastructure is in the crosshairs. Regardless of the reasoning, the fact that the adversaries were able to breach their IT and OT systems in the first place is concerning,” he outlined.