UK-based water company Southern Water has confirmed that hackers stole the personal data of up to 470,000 customers in a recent data breach.
Southern Water, which provides water and sewerage services to millions of people in the South East of England, it said in a statement on Tuesday that it plans to notify “5 to 10 percent” of its customer base that personal information was stolen by hackers during a cyber attack in January.
The utility giant declined to say exactly how many people have been affected so far. Simon Fluendy, a spokesman for Southern Water, told TechCrunch that the company has about 4.7 million customers and did not dispute that between 235,000 and 470,000 customers had their data stolen.
Southern Water notes that the “5 to 10 percent” figure is based on ongoing forensic investigations, suggesting the actual number of people affected may be higher.
Southern Water declined to say what data had been stolen. reports BBC News that the hackers had access to customers’ dates of birth, National Insurance numbers, bank account details and reference numbers.
Southern Water said it also plans to notify “all of our current employees and some former employees” about the breach of their personal information. In its latest annual report, Southern Water says it has around 6,000 employees.
The January cyberattack on Southern Water, which the company first revealed on January 23rdclaimed by ransomware group Black Basta, a Russian-linked gang that last year claimed responsibility for a hack at UK outsourcing giant Capita.
Southern Water has yet to comment on the specifics of the incident or how its systems were breached.
Black Basta listed Southern Water on its dark web leak shortly after the cyber attack last month and claimed to have stolen 750 gigabytes of sensitive data from the organisation, including company documents and personal customer documents.
The listing, which threatened to release the stolen data unless a ransom demand was paid, also included screenshots that claimed to show some of the stolen data, including employee passports and ID cards.
At the time of writing, Southern Water is no longer listed on the Black Basta website. It is not uncommon for victim companies that pay ransom to hackers to remove their public listings. Southern Water declined to say whether it had paid a ransom.
In its statement released on Tuesday, Southern Water said it was working with cyber security experts to monitor the dark web. Since the utility’s listing on the ransomware gang’s website, Southern Water says it has “found no new evidence of data potentially involved in this cyber incident being published online.”
Southern Water says it has informed the UK’s data protection regulator, the Information Commissioner’s Office, about the incident.
