020 7650 1200

South Staffordshire PLC/South Staffs Water/Cambridge Water data breach claim

How can we help?

In 2022, South Staffordshire Water plc, the parent company of South Staffs Water and Cambridge Water, was the victim of a cyber-attack that has affected the personal data, including, in some cases at least, bank account details, of a reported quarter of a million customers.  The data breach leaves customers vulnerable to fraud. While the water companies have contacted these customers to inform them of the breach, they failed to take full responsibility for the consequences of their inadequate security measures.

About the data breach claim

Organisations are responsible for handling customer data correctly – including taking steps to securely store and protect this information from cyber attacks. If you’re one of customers who were contacted as you were affected by the data breach, you could be entitled to compensation.

Leigh Day's data protection experts are currently investigating claims against South Staffordshire Water plc / South Staffs Water / Cambridge Water on behalf of hundreds of affected customers. Get in touch today to find out how you can join the data breach claim. 

South Staffordshire plc, the parent company of South Staffs Water and Cambridge Water, first announced that it had been victim of a cyber-attack in August 2022, initially saying that there was some disruption to its corporate IT network.

On 29th November 2022, South Staffs Water and Cambridge Water both published a further statement saying “our investigation has now found that the incident has resulted in unauthorised access to some of the personal data we hold for a subset of our customers.”

These water companies provide water to over a million and a half people in England. It has been reported that at least 249,000 customers have been affected by the data breach.

They stated that they were contacting affected customers by letter “so that they can take appropriate action”. They also a published a detailed Frequently Asked Questions (FAQs) section on their website in relation to the incident, which has been subsequently updated.

This initially stated that, while their investigations were still continuing, they believed that the data breach affected a subset of their customers who paid by direct debit. They said that had sent out letters to affected customers between 25th and 29th November 2022.

The FAQs also initially stated that the customer personal data affected included the name and address of the account holder together with bank details (sort code and account number) used for the direct debit together with “other information needed to operate your water account”.

Join the South Staffordshire PLC/South Staffs Water/Cambridge Water data breach claim

In the actual letters of November 2022 to customers, they state that their investigations show that the personal data was subsequently published on the darknet.  The letters then state “There is a risk that criminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent Direct Debit mandates to your bank or building society using the data compromised in the cyberattack”.

The letters and FAQs identify the support being offered to affected customers, including a telephone helpline and free access to a credit monitoring service for 12 months.

New and different letters seem to have been sent out by South Staffs Water and Cambridge Water in January 2023 to other customers, not previously been contacted.

These letters also confirmed that the customers’ personal data had been taken as a result of the cyber-attack and published on the dark web. However, they were less clear about the personal data affected, saying that this included the customer’s name, email address and / or phone number (if shared with the water company) and address. They also confirmed that the personal information included “information you might have shared to help us provide tailor services to you”, tariff information / payment plan information and may have also included “other personal data which we hold on you to deliver our services”. The letters also say that there is a risk that criminals may try and use the personal data to carry out fraud.

The letters received by customers in January 2023 did not refer to the data breach being restricted to customers paying by direct debit or whether the banking details of the customers receiving this new letter were affected. While the water companies have made no further statement, the FAQs on their website have been amended to simply now say that “all impacted customers will have had some of their personal data published on the dark web.

How do I join the claim?

If you were affected by the South Staffordshire Water plc / South Staffs Water / Cambridge Water data breach, you can join thousands of other customers to hold South Staffordshire Water plc / South Staffs Water / Cambridge Water accountable for their failure to keep your personal information safe. Fill in our short form today.

What our lawyers say

This is a large and serious data breach. As the water companies themselves accept, the disclosure of sensitive financial information leaves affected customers vulnerable to fraud by criminals.

Sean Humber, partner

Join the South Staffordshire PLC/South Staffs Water/Cambridge Water data breach claim

What the directories say

Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.

Chambers and partners 2023

Why use Leigh Day?

Experienced

Our human rights team has more than 20 years' experience in data protection and privacy claims. This includes challenging multi-national companies as well as local authorities and the NHS.

Informed

We keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.

Top ranked firm

The human rights team has been recognised as a leader in its field for many years. In 2022, we were top ranked in eight practice areas in Chambers and Partners.

Submit your information

We are already instructed by thousands of affected customers. We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

If you have been notified by South Staffordshire plc, South Staffs Water or Cambridge Water that your personal information was accessed as a result of the cyber attach and wish us to investigate starting a claim, you can start the process today.

Similarly, if you have any queries or problems completing the sign-up process or would prefer to be taken through the sign-up process by telephone, please email us at waterdatabreach@leighday.co.uk or call 020 7650 1199 and a member of our legal team will contact you to arrange a convenient time to speak with you.

Filling In An Online Form

Our human rights team challenge multi-million-pound corporations who have unlawfully shared their customers' information or failed to invest in adequate security measures, resulting in a data breach.

Contact the team by telephone on 020 7650 1199 or send an email.

Contact the team

Profile
Sean Humber
Data protection and privacy Discrimination Environment Human rights Judicial review

Sean Humber

Sean is an experienced human rights lawyer and privacy breach compensation claims specialist

Profile
Gene Matthews
Clinical trials Data protection and privacy Diesel emissions claims Group claims Human rights Medical devices Product safety

Gene Matthews

Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions

FAQs

In August 2022, South Staffordshire plc, the parent company of South Staffs Water and Cambridge Water, announced that it had been victim of a cyber-attack and stated that there was some disruption to its corporate IT network. These water companies provide water to over a million and a half people in England.

Responsibility for the cyber-attack was claimed by the notorious East European ransomware group C10p (Clop) who stated that they had taken over 5 TB (terabytes) of data. After saying that negotiations had broken down, C10p posted a raft of stolen documents, including screenshots of identification documents, such as passports and driving licences, as well as details of the software systems used to monitor and control water treatment on its darknet site. C10p made unsubstantiated claims that it could manipulate the levels of chemicals in the water.

Meanwhile, South Staffs Water and Cambridge Water stated that they had reported the matter to the National Cyber Security Centre, National Crime Agency and the Information Commissioner’s Office and were also instructing their own IT security experts to investigate the matter.

On 29th November 2022, South Staffs Water and Cambridge Water then published a further statement saying “our investigation has now found that the incident has resulted in unauthorised access to some of the personal data we hold for a subset of our customers.” 

They stated that they were contacting affected customers by letter “so that they can take appropriate action”. They also a published a detailed Frequently Asked Questions (FAQs) section on their website in relation to the incident. 

This stated that, while their investigations were still continuing, they believed that the data breach affected a subset of their customers who paid by direct debit. They said that had sent out letters to these affected customers between 25th and 29th November 2022.

The FAQs also stated that the customer personal data affected included the name and address of the account holder together with bank details (sort code and account number) used for the direct debit together with “other information needed to operate your water account”.

In the actual letters to customers of November 2022 to customers, they state that their investigations show that the personal data was subsequently published on the darknet.  The letters then state “There is a risk that criminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent Direct Debit mandates to your bank or building society using the data compromised in the cyberattack”.

New and different letters seem to have been sent out by South Staffs Water and Cambridge Water in January 2023 to other customers, not previously been contacted.

These letters also confirmed that the customers’ personal data had been taken as a result of the cyber-attack and published on the dark web. However, they were less clear about the personal data affected, saying that this included the customer’s name, email address and / or phone number (if shared with the water company) and address. They also confirmed that the personal information included “information you might have shared to help us provide tailor services to you”, tariff information / payment plan information and may have also included “other personal data which we hold on you to deliver our services”. The letters also say that there is a risk that criminals may try and use the personal data to carry out fraud.

The letters received by customers in January 2023 did not refer to the data breach being restricted to customers paying by direct debit or whether the banking details of the customers receiving this new letter were affected. While the water companies have made no further statement, the FAQs on their website have been amended to simply now say that “all impacted customers will have had some of their personal data published on the dark web.

The letters and FAQs identify the support being offered to affected customers, including a telephone helpline and free access to a credit monitoring service for 12 months.

It has been reported that a quarter of a million customers have been affected by the data breach.

Those affected by the data breach may have claims for compensation against South Staffordshire plc / South Staffs Water / Cambridge Water for failing to keep their personal data safe and the distress and / or any financial losses that this has caused.

It is not clear at this stage how the hackers were able to access the IT system, although the hackers themselves are reported to have criticised the lack of security measures in place. However, on the face of it, it would seem surprising if South Staffordshire PLC’s security measures were found to be adequate given that they failed to prevent this serious cyberattack.

On the present information, there would seem good grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018. There may also be grounds for bringing a claim for breach of your confidence and / or misuse of your private information.

South Staffordshire plc / South Staffs Water / Cambridge Water have stated that they sent out letters to affected customers. They appear to have sent these letters out at different times between November 2022 and January 2023 notifying them that they have been affected.

If you received a letter from South Staffordshire plc / South Staffs Water / Cambridge Water between November 2022 and January 2023 saying that you were affected by the data breach, you may have a claim for compensation.

This includes a claim for compensation for the distress caused by the data breach even if you have not lost any money.

How much compensation you can claim may depend on specific factors of your case, such as:

  • The personal information accessed, including whether this included your bank account details.
  • How many people had unauthorised access to your personal information and for how long.
  • Emotional distress caused by the breach.
  • Any financial losses experienced.

On the information currently available, we consider that the value of affected customers’ compensation claims is likely to be in the thousand pounds.

We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we are instructing in this matter after we have completed our investigations

It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how South Staffordshire plc / South Staffs Water / Cambridge Water respond and whether they wish to mediate the claim.

We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing waterdatabreach@leighday.co.uk

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

We are responding to form completions within 24 to 36 hours. If you have submitted your form during the weekend, please allow an extra day for responses, as we won’t see your details until the following Monday morning.

If you are still to receive a response, please email us at waterdatabreach@leighday.co.uk to check that the details we hold for you are correct.

The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.

You can also reach out if you need assistance at any point of the claims process by emailing – waterdatabreach@leighday.co.uk.

What the directories say

Sean Humber is innovative in his approach and an expert in the area of data protection. He is sensible in terms of advice to clients and offers realistic options.

Chambers and partners 2024 - Sean Humber - Data Protection & Information Law

What the directories say

Sean Humber is instructed by clients seeking advice on data breaches involving sensitive personal data. He represents individual claimants as well as companies. He's very responsive, professional, innovative and looks for solutions for his clients. He's a great strategic thinker and lawyer.

Chambers and partners 2022 - Sean Humber - Data Protection & Information Law

  • Here’s what you need to do after your personal data is breached Telegraph 16.8.23
  • Law firm says more than 150 people in Lichfield have joined claim against water company after cyber attack Lichfield Live 31.7.23
  • South Staffs Water data breach victims may be in line for compensation Express & Star 26.7.23
  • Legal firm says cyber attack on water firm could lead to “substantial claims for compensation” Lichfield Live 23.12.22
  • Cambridge Water customers told of potential legal claims over data breach Cambridge News 22.12.22
  • South Staffs Water and Cambridge Water data hack: what to do if you're affected Which? 7.12.22
  • Cambridge Water: Customer details targeted in cyber attack BBC 6.12.22