South Staffordshire PLC/South Staffs Water/Cambridge Water data breach claim

In August 2022, South Staffordshire plc, the parent company of South Staffs Water and Cambridge Water, announced that it had been victim of a cyber-attack and stated that there was some disruption to its corporate IT network. These water companies provide water to over a million and a half people in England.

Responsibility for the cyber-attack was claimed by the notorious East European ransomware group C10p (Clop) who stated that they had taken over 5 TB (terabytes) of data. After saying that negotiations had broken down, C10p posted a raft of stolen documents, including screenshots of identification documents, such as passports and driving licences, as well as details of the software systems used to monitor and control water treatment on its darknet site. C10p made unsubstantiated claims that it could manipulate the levels of chemicals in the water.

Meanwhile, South Staffs Water and Cambridge Water stated that they had reported the matter to the National Cyber Security Centre, National Crime Agency and the Information Commissioner’s Office and were also instructing their own IT security experts to investigate the matter.

On 29th November 2022, South Staffs Water and Cambridge Water then published a further statement saying “our investigation has now found that the incident has resulted in unauthorised access to some of the personal data we hold for a subset of our customers.” 

They stated that they were contacting affected customers by letter “so that they can take appropriate action”. They also a published a detailed Frequently Asked Questions (FAQs) section on their website in relation to the incident. 

This stated that, while their investigations were still continuing, they believed that the data breach affected a subset of their customers who paid by direct debit. They said that had sent out letters to these affected customers between 25th and 29th November 2022.

The FAQs also stated that the customer personal data affected included the name and address of the account holder together with bank details (sort code and account number) used for the direct debit together with “other information needed to operate your water account”.

In the actual letters to customers of November 2022 to customers, they state that their investigations show that the personal data was subsequently published on the darknet.  The letters then state “There is a risk that criminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent Direct Debit mandates to your bank or building society using the data compromised in the cyberattack”.

New and different letters seem to have been sent out by South Staffs Water and Cambridge Water in January 2023 to other customers, not previously been contacted.

These letters also confirmed that the customers’ personal data had been taken as a result of the cyber-attack and published on the dark web. However, they were less clear about the personal data affected, saying that this included the customer’s name, email address and / or phone number (if shared with the water company) and address. They also confirmed that the personal information included “information you might have shared to help us provide tailor services to you”, tariff information / payment plan information and may have also included “other personal data which we hold on you to deliver our services”. The letters also say that there is a risk that criminals may try and use the personal data to carry out fraud.

The letters received by customers in January 2023 did not refer to the data breach being restricted to customers paying by direct debit or whether the banking details of the customers receiving this new letter were affected. While the water companies have made no further statement, the FAQs on their website have been amended to simply now say that “all impacted customers will have had some of their personal data published on the dark web.

The letters and FAQs identify the support being offered to affected customers, including a telephone helpline and free access to a credit monitoring service for 12 months.

It has been reported that a quarter of a million customers have been affected by the data breach.

Those affected by the data breach may have claims for compensation against South Staffordshire plc / South Staffs Water / Cambridge Water for failing to keep their personal data safe and the distress and / or any financial losses that this has caused.

It is not clear at this stage how the hackers were able to access the IT system, although the hackers themselves are reported to have criticised the lack of security measures in place. However, on the face of it, it would seem surprising if South Staffordshire PLC’s security measures were found to be adequate given that they failed to prevent this serious cyberattack.

On the present information, there would seem good grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018. There may also be grounds for bringing a claim for breach of your confidence and / or misuse of your private information.

South Staffordshire plc / South Staffs Water / Cambridge Water have stated that they sent out letters to affected customers. They appear to have sent these letters out at different times between November 2022 and January 2023 notifying them that they have been affected.

If you received a letter from South Staffordshire plc / South Staffs Water / Cambridge Water between November 2022 and January 2023 saying that you were affected by the data breach, you may have a claim for compensation.

This includes a claim for compensation for the distress caused by the data breach even if you have not lost any money.

How much compensation you can claim may depend on specific factors of your case, such as:

• The personal information accessed, including whether this included your bank account details.
• How many people had unauthorised access to your personal information and for how long.
• Emotional distress caused by the breach.
• Any financial losses experienced.

On the information currently available, we consider that the value of affected customers’ compensation claims is likely to be in the thousand pounds.

We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we are instructing in this matter after we have completed our investigations

It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how South Staffordshire plc / South Staffs Water / Cambridge Water respond and whether they wish to mediate the claim.

We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing waterdatabreach@leighday.co.uk

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

We are responding to form completions within 24 to 36 hours. If you have submitted your form during the weekend, please allow an extra day for responses, as we won’t see your details until the following Monday morning.

If you are still to receive a response, please email us at waterdatabreach@leighday.co.uk to check that the details we hold for you are correct.

The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.

You can also reach out if you need assistance at any point of the claims process by emailing – waterdatabreach@leighday.co.uk.