Serious data breach affecting financial information of South Staffs Water and Cambridge Water customers

Leading data breach lawyers say that the recent announcements by South Staffs Water  and Cambridge Water that customers’ personal information, including, in some cases at least, their bank account details, have been hacked and published on the darknet, are likely to lead to substantial claims for compensation by those affected.

In August 2022, South Staffs Water and Cambridge Water, announced that it had been victim of a cyber-attack and stated that there was some disruption to its corporate IT network.  These water companies provide water to over a million and a half people in England.

Responsibility for the cyber-attack was claimed by the notorious East European ransomware group C10p (Clop) who stated that they had taken over 5 TB (terabytes) of data.  After saying that negotiations had broken down, C10p posted a raft of stolen documents, including screenshots of identification documents, such as passports and driving licences, as well as details of the software systems used to monitor and control water treatment on its darknet site.  C10p made unsubstantiated claims that it could manipulate the levels of chemicals in the water.   

Meanwhile, South Staffs Water and Cambridge Water stated that they had reported the matter to the National Cyber Security Centre, National Crime Agency and the Information Commissioner’s Office and were also instructing their own IT security experts to investigate the matter.

On 29^th November 2022, South Staffs Water and Cambridge Water then published a further statement saying “our investigation has now found that the incident has resulted in unauthorised assess to some of the personal data we hold for a subset of our customers.”

They stated that they were contacting affected customers by letter “so that they can take appropriate action”.  They also a published a detailed Frequently Asked Questions (FAQs) section on their website in relation to the incident, which has been subsequently updated.

This initially stated that, while their investigations were still continuing, they believed that the data breach affected a subset of their customers who paid by direct debit.  They said that had sent out letters to affected customers between 25^th and 29^th November 2022.

The FAQs also initially stated that the customer personal data affected included the name and address of the account holder together with bank details (sort code and account number) used for the direct debit together with “other information needed to operate your water account”. 

In the actual letters of November 2022 to customers, they state that their investigations show that the personal data was subsequently published on the darknet.  The letters then state “There is a risk that criminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent Direct Debit mandates to your bank or building society using the data compromised in the cyberattack”.

The letters and FAQs identify the support being offered to affected customers, including a telephone helpline and free access to a credit monitoring service for 12 months.

New and different letters seem to have been sent out by South Staffs Water and Cambridge Water in January 2023 to other customers, not previously been contacted.

These letters also confirmed that the customers’ personal data had been taken as a result of the cyber-attack and published on the dark web. However, they were less clear about the personal data affected, saying that this included the customer’s name, email address and / or phone number (if shared with the water company) and address. They also confirmed that the personal information included “information you might have shared to help us provide tailor services to you”, tariff information / payment plan information and may have also included “other personal data which we hold on you to deliver our services”. The letters also say that there is a risk that criminals may try and use the personal data to carry out fraud.

The letters received by customers in January 2023 did not refer to the data breach being restricted to customers paying by direct debit or whether the banking details of the customers receiving this new letter were affected. While the water companies have made no further statement, the FAQs on their website have been amended to simply now say that “all impacted customers will have had some of their personal data published on the dark web.

Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information over the last 20 years, including claims against large multinational companies, stated:

“This is a large and serious data breach.  As the water companies themselves accept, the disclosure of sensitive financial information leaves affected customers vulnerable to fraud by criminals.

“If the water companies’ failed to take adequate steps to keep customers’ personal data safe, then those affected are likely to be entitled to compensation for the distress and anxiety caused by the breach as well as any financial losses that they may have suffered.”

Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added:

“This is likely to be an uncertain and deeply worrying time for those affected. Sadly, our own investigations, confirm that a considerable amount of information from this data breach is now on the darknet.”

If you have been affected by this data breach and wish to discuss, in complete confidence and without any obligation, bringing a claim for compensation on a “no win, no fee” basis then please get in touch by completing our form, or contacting Sean Humber or Gene Matthews on 020-7650-1200.

This news story was updated on 16 January 2023.