South Staffs Water hacked -- Ransomware group breaches corporate network

“Incident has not affected our ability to supply safe water.”

South Staffs Water hacked -- Ransomware group breaches corporate network

The parent company of South Staffs Water, which also operates Cambridge Water, has been hit by a cyber attack that has disrupted its corporate IT systems, the company acknowledged on Monday evening. The attack has not extended to any operational technology (OT) nor customer services, the water utility said.

A ransomware group has claimed responsibility for the breach and started leaking corporate data onto its dark web site. The incident comes as concerns have mounted globally that ransomware attacks could potentially disrupt water utilities. Late last year it emerged that four US wastewater plants had been hit by ransomware.

“South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, has been the target of a criminal cyber-attack,” said the water company in a statement, adding that the breach “has not affected our ability to supply safe water... thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident."

Follow The Stack on LinkedIn

“We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual,” the firm said.

South Staffordshire provides drinking water to approximately 1.6 million people, and approximately 35,000 commercial customers, over 1,500 square km in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire and North Worcestershire areas. In its last annual report it said that it is mitigating cyber risk by "implementing new firewalls as part of our ongoing IT transformation", rolling out new SCADA systems, getting ISO27001 certification for its group IT operations and using externally managed security operations centre (SOC).

South Staffs Water hacked – hackers bad at geography

According to security researcher Daniel Card, the Clop group initially claimed it had hacked Thames Water, with both HackNotice and then the Daily Express picking this up – the latter with alarmist headlines.

The Express has since removed its article about Thames Water.

Card posted several excerpts of Clop’s posts about the hack, where the group comments about its target’s poor cyber-security and unwillingness to communicate, and suggests consumers should sue Thames Water. Given it actually hacked South Staffs Water, it was perhaps unsurprising Clop saw so little response.

“CLOP are saying ‘We contact company and say we expect money to provide information on what and how and when so they can fix. They are not interested to fix.’ [sic] which is lulz if they got the wrong company name....” said Card on Twitter. IT leaders at several UK water utilities have previously told The Stack that the threat of a security breach keeps them up at night. The industry has a sprawling attack surface and a wealth of aging technology, as well as a workforce that is not always au fait with cyber risk, even as pressure mounts for more innovation, automation and digitally connected plants that can be remotely managed by workers to ensure rapid responses.

The UK is arguably doing better than the US when it comes to water company security however.

More than 70% of water utilities surveyed in the US in 2021 reported having less than three full-time equivalent personnel dedicated to IT cybersecurity, and 73% reported having less than three FTE employees dedicated to OT security. Moreover, only 30% of US water utilities reported having a CISO or equivalent.

The Stack has contacted South Staffordshire PLC for further comment.

To be updated

See also: Water CIOs agree landmark Open Data project “Stream”