"A limited amount of data has been published": Southern Water confirms ransomware attack as Black Basta group claims responsibility

Ransomware concept art showing alert image on circuit board
(Image credit: Getty Images)

The hack of Southern Water by a notable ransomware group has highlighted the increasing risk to the water industry from cyber criminals, experts have said. 

'Black Basta' claimed responsibility for the attack on the utilities firm, warning that if an unspecified ransom is not paid it will leak the stolen data on 29 February.

The ransomware group claims to have stolen 750GB of sensitive data, including passports, ID cards, and the personal information of some employees.

Southern Water said it had already detected suspicious activity, and launched an investigation into the incident led by independent cyber security specialists. In a statement, the firm said it has informed the government, regulators, and the Information Commissioner's Office (ICO).

"Since then, a limited amount of data has been published. However at this point there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally," Southern Water said.

"If, through the investigation, we establish that customers' or employees' data has been stolen, we will ensure they are notified, in accordance with our obligations."

The water industry, along with other infrastructure, has increasingly been a target for ransomware operators over the last few years.

Late last year, CISA issued an alert warning of the active exploitation of Unitronics’ programmable logic controllers (PLCs), used extensively across the water sector. 

The alert was followed a few days later by a warning from the UK's National Cyber Security Centre (NCSC), which described an 'enduring and significant’ threat to utilities organizations.

Tim West, head of cyber threat intelligence at WithSecure, said the heightened threats faced by utilities firms have largely come from hacktivist groups, rather than financially-motivated threat actors.

"While there have been hacktivist attacks on the water sector in recent months, many financially motivated actors have intentionally avoided interfering with critical national infrastructure such as water supplies, so as not to draw too much attention from law enforcement," he said.

"However, water companies also hold huge amounts of PII which not only has value on the dark web, but is excellent leverage for cyber attackers when demanding a ransom."

Who are the Black Basta ransomware group?

Black Basta is one of the smaller ransomware groups, and was first observed in 2022. It employs a Ransomware as a Service (RaaS) model, and uses a double extortion technique, stealing sensitive company data and threatening to release it, advertising the data on the dark web. 

"Stolen data usually ends up being sold on the dark web and can be used to commit further crimes such as identity fraud," said Rob Bolton, VP EMEA at Versa Networks.

"Paying ransom demands is no guarantee that stolen data will be returned, and it will only help fund future ransomware activity. Ransomware gangs have been known to still keep a copy of the data, as well as come back with further extortion fees."

According to research late last year by Elliptic and Corvus Insurance, Black Basta has netted at least $107 million in Bitcoin ransom payments since early 2022, and has attacked 329 victims and counting, including Capita, ABB, and Dish Network.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.