back to article Ransomware attack on UK water company clouded by confusion

A water company in the drought-hit UK was recently compromised by a ransomware gang, though initially it was unclear exactly which water company was the victim. Clop, a prolific Russian-speaking gang known for extorting industrial organizations, claimed on its website that it had broken into and stolen data from Thames Water …

  1. Pascal Monett Silver badge
    Mushroom

    "and by making sure employee behavior is driven towards best practices."

    Of which the primary best practice is not opening the blasted attachment from somebody you don't know.

    1. UCAP Silver badge

      Re: "and by making sure employee behavior is driven towards best practices."

      Sadly, there is always an idiot around who thinks that they know better. Sometimes these idiots are at executive level, which makes it tricky to sack them after the network has been compromised.

      1. Phil O'Sophical Silver badge

        Re: "and by making sure employee behavior is driven towards best practices."

        Don't sack them, just levy the costs of repairing the damage against their present and future bonuses.

      2. Anonymous Coward
        Anonymous Coward

        Re: "and by making sure employee behavior is driven towards best practices."

        No need to try.. :) Simply have the Exec identify a suitable scapegoat that didn't provide a 100% watertight security environment with his paltry budget and sans Exec sponsorship and sack them instead. Job done.

        1. Tom 38

          Re: "and by making sure employee behavior is driven towards best practices."

          a 100% watertight .. environment

          The water companies think a little leakage is OK, this year they're crowing about how they've got it down to 1,078,210,000,000 litres of water a year. That's 3.2 trillion cans of coke, 431,284 olympic swimming pools, or the average discharge of the river Thames in London for 189 days*

          * Someone might have to check my maths on that one. Thames average discharge at London is 66m³/s, so (2954 * 1000000 * 365) / (1000 * 66) / (60 * 60 * 24) = 189.08?

          1. Anonymous Coward
            Anonymous Coward

            Re: "and by making sure employee behavior is driven towards best practices."

            The regulator Ofwat thinks a little leakage is OK

            FTFY

          2. John Brown (no body) Silver badge

            Re: "and by making sure employee behavior is driven towards best practices."

            And for as long as it's been reported in the news, as far back as I can remember, Thames Water have consistently been at the top of the list. When the customers can't choose the supplier, reputation matters little.

            I think I read somewhere that Thames Water was not just top of the list, but b y a large margin, losing over 40% more water through leaks than the company ion 2nd place.

            *ONLY* regulation can do anything, but that means a properly funded regulator with real powers. Maybe we could start by freezing the executive pay (up 21% in the last year for CEOs) and freezing shareholders dividends for a couple of years, re-investing it back into the leaking pipes problem. My local water company came out top of the dividend league, paying out over £123m, money that could have gone into repairing the pipes.

            1. Anonymous Coward
              Anonymous Coward

              Re: "and by making sure employee behavior is driven towards best practices."

              But don't you dare get that hosepipe out of the shed!

    2. NeilPost

      Re: "and by making sure employee behavior is driven towards best practices."

      What ever happened to Anti-Virus software scraping this stuff into quarantine ??

      All I seem to get these days is a semi-literate and wildly inconsistent accumulation or useful stuff and obvious spam quietly pushed into Junk…. and an Anti-Phish submission button on my corporate Outlook.

      Come back, Dr Solomon’s AVTK for Exchange Server !!

      1. hoola Silver badge

        Re: "and by making sure employee behavior is driven towards best practices."

        It is all "Next-Generation" cloud-based stuff that automagically provides perfect protection, requires zero management and has no impact on the system.

        That they are all useless is irrelevant. If something cannot detect eicar or a test script payload, how do I know it is working?

        The answer is you don't but as long as there is a little symbol somewhere on a task bar or service running all is well with the work and YOU ARE PROTECTED!!!!!

        That is if you believe all the sales hype.

        My experience is that they are all shite but have fantastic sales teams.

        1. Roland6 Silver badge

          Re: "and by making sure employee behavior is driven towards best practices."

          >If something cannot detect eicar or a test script payload, how do I know it is working?

          That's only the beginning...

          I'm p***ed off with a major provider of cloud security to businesses, their product seems to be doing its job, however, it keeps sending me "you are under attack" alerts, go to the dashboard to investigate and find there is no detailed information, not even the IP address'es of where "the attack" is originating from. So I'm unable to do anything to mitigate "the attack". For one "attack" I did do some legwork, only to find (and subsequently confirmed by reproducing the alert) the source was myself having finger problems logging on as admin, so taking a few attempts to get the password right in quick succession; I decided to ignore the advice to set up a VPN...

  2. simonlb Silver badge
    Stop

    They should stop with the boilerplate text

    "we take the security of our networks and systems very seriously"

    They may as well not bother putting any wording resembling that phrase in any announcement they make. Principally because:

    A) They feel they have to include it because they like to think it's reassuring to their customers shareholders and the relevant regulator, even if they don't really believe it

    B) No-one else believes it anyway

    1. Anonymous Coward
      Anonymous Coward

      Re: we take the security of our networks and systems very seriously

      Or add

      Once we are informed that they've spilled confidential information all over the Internet

    2. Anonymous Coward
      Facepalm

      Re: They should stop with the boilerplate text

      At least they don't send "thoughts and prayers" messages like our politicians across the pond.

      1. simonlb Silver badge
        Joke

        Re: They should stop with the boilerplate text

        "Our thoughts and prayers are with the shareholders after their tragic financial loss"

  3. Christoph

    "The mix-up could be seen from a list of usernames and passwords"

    If the security was so bad that the company could access the actual passwords rather than just the hashes it's not surprising they got hacked.

    1. Roland6 Silver badge

      Depends on how they are doing the hashing; if standard then reading the hashes is simply a dictionary/translation table lookup.

      1. Anonymous Coward
        Anonymous Coward

        That would fall under "their security was so bad" bit of Christoph's post.

  4. Peter Ford

    Leaks

    "They also taunted Thames Water, writing they had spent months inside the company's network and that it had 'very bad holes in their systems.'"

    I think they missplet 'cisterns'?

  5. Dan 55 Silver badge
    Devil

    Thames Water... had 'very bad holes in their systems'

    They do, they leak about a quarter of all water they supply.

    No problem at all, record pay, no investment, trebles all round, until you climate change rocks up and you're reduced to bleating about hosepipe bans.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thames Water... had 'very bad holes in their systems'

      Well, to be fair, Thames Water have been trying to invest in a new reservoir in Oxfordshire for the past 30 years but the local NIMBYS have repeatedly blocked it. Those same NIMBYS are the first to complain about hosepipe bans, of course.

      1. Vometia has insomnia. Again. Silver badge

        Re: Thames Water... had 'very bad holes in their systems'

        They've been trying to force their customers to "invest" instead of fixing their notoriously leaky and under-maintained pipes, which they'd have to pay for themselves, or linking up with other suppliers. Wasn't it also Thames Water who sold a bunch of reservoirs to housing developers? I may be thinking of a different water company but it wouldn't surprise me if it was TW.

        1. katrinab Silver badge
          Megaphone

          Re: Thames Water... had 'very bad holes in their systems'

          Thames Water has sold off 25 reservoirs. Other water companies have also sold off reservoirs.

          1. Anonymous Coward
            Anonymous Coward

            Re: Thames Water... had 'very bad holes in their systems'

            Old ones, some of which weren't even connected to treatment plants.

      2. Anonymous Coward
        Anonymous Coward

        Re: Thames Water... had 'very bad holes in their systems'

        >but the local NIMBYS have repeatedly blocked it.

        A quick google indicates the NIMBYs were a long way down the list of reasons to block the application:

        "To date, it’s always fallen down with Ofwat [the regulator] on the grounds of value vs need and local opposition in planning."

        "OXFORDSHIRE County Council has torn apart Thames Water's case for building a reservoir the size of Heathrow Airport south of Abingdon." ie. Thames Water couldn't do maths.

        Additionally, Londoners need to understand, the rest of the country isn't there just to serve their needs.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thames Water... had 'very bad holes in their systems'

          What have Londoners got to do with it? I live well north of London and Oxford but TW supply my water.

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: Thames Water... had 'very bad holes in their systems'

            >What have Londoners got to do with it?

            From the reports, it seems to satisfy the London demand was the key reason for this reservoir.(*) Interestingly, one of the reasons why the local planning rejected the application was that it did not take into consideration local development and needs.

            (*)London demand is a reason why there are so many London overspill housing development. Also it wasn't that long ago that various (Conservative controlled) London boroughs hit on the wheeze to export their people in need of social housing to outside London and thereby alter the voting demographic of their borough.

    2. Ken Moorhouse Silver badge

      Re: They do, they leak about a quarter of all water they supply.

      Might be because any recommendations referring to "cocks" is blocked by their firewalls.

      1. Jedit Silver badge
        Joke

        "any recommendations referring to "cocks" is blocked by their firewalls."

        Well, they have to stop them somehow.

    3. hoola Silver badge

      Re: Thames Water... had 'very bad holes in their systems'

      Whilst not siding with the water companies here, fixing the leaks is rather more challenging that most people realise.

      The leaks that hit the news are actually catastrophic failures of large water mains, often caused by subsidence in the surrounding soil or traffic. Yes these do spew a lot of water all over the place but by their very nature, once it has failed it has to be fixed.

      Most of the leakage that is complained about is occurring in small, lower pressure pipes. In this situation the leak can be seepage from a joint or crack into the surrounding soil with no indication that it is happening. It is only when the water finally starts oozing to the surface of the road/pavement/lawn that it becomes apparent.

      One the leak has been found, they they have to go through all the process of obtaining the work orders from the local authorities, possibly road closures etc to schedule the work. Again, this is where it is different to the large bursts. Those have usually closed roads already and stopped people's water supply.

      This is near where my parent's live and the size of the holes was spectacular.

      Many lorry loads of aggregate had to be brought in to fix the worst break as the water has blown so much of the ground away. Yes, the main is old and is only now being replaced completely but it is on a major feeder road to the M25 so chaos all round as it covers about 5 miles of road.

      https://www.getsurrey.co.uk/news/surrey-news/7-times-burst-water-mains-11611187

      Even if you could send something down the pipe with a camera it is unlikely to find the leaks. This in itself is a challenge compared to fixing your sewer because it is under pressure.

      1. Cuddles

        Re: Thames Water... had 'very bad holes in their systems'

        Note that the complaints here aren't about "water companies", they're specifically about Thames Water. Yes, leaks are difficult to find and fix. That does not explain why Thames Water finds it so much more difficult to find and fix them than any other water company in the country. And it doesn't explain why they're able to pay out millions in bonuses and dividends while being repeatedly fined for not fixing leaks and for continuously dumping raw sewerage into the environment. There are water companies that haven't been fined for incompetence at all; with Thames Water, the only question is how big the annual fine will be compared to the CEO's bonus.

        1. just another charlie

          Re: Thames Water... had 'very bad holes in their systems'

          I dont see how it can be so hard to find a leak. You just measure the water going in one end of the pipe and compare with the amount coming out the other. Then keep moving the location of your measuring rig. I imagine some kind of expandable plug that travels down the pipe.

  6. Graham Cobb Silver badge

    Passport scans and driver's licenses?

    Why are a water company keeping copies of passport scans and driving licenses?

    Yes, I can see that they might be some need to verify them at some point (there shouldn't be - it is none of their business who I am as long as the bills are being paid, but that is a separate battle). But they should keep a record of having done so, not the data itself! What possible excuse is there for a utility company or other business keeping such critical personal security data on their systems?

    Whatever the tiny benefit, it is completely outweighed by the massive risk to society of large quantities of important security information being exposed.

    1. gitignore

      Re: Passport scans and driver's licenses?

      probably staff rather than customers?

      1. Graham Cobb Silver badge

        Re: Passport scans and driver's licenses?

        That makes more sense, but it clearly shows that the policy is wrong. The tiny value to society from proof of doing right-to-work checks is less than the risks to society of having copies of passports and driving licenses lying all over the internet!

      2. John Brown (no body) Silver badge

        Re: Passport scans and driver's licenses?

        "probably staff rather than customers?"

        Doesn't matter. They still only need to keep a record that the data has been verified, eg passport could relate the Right To Work, drivers licence for any employ required to drive a vehicle on behalf of the company, but neither need to be kept in their entirety, especially as scans. Even a driving licence should only really need a record of what classes of vehicle are covered against the named employee.

        Being a remote worker, my employer requires an annual driving licence check. I send them a scan, they confirm the details, they delete the file. (I actually send them the same scan each year, since nothing changes and no one ever notices or complains :-))

        Although now I come to think of it, it's entirely likely that those scans might still be in some email archive. I must ask about that on Monday. Most of our emails default to auto-delete in 2027/8 or thereabouts (5 years autodelete??)so just deleting it Outlook obviously isn't enough.

        1. Ken Moorhouse Silver badge

          Re: They still only need to keep a record that the data has been verified

          I've worked with companies that need to comply with Anti Money Laundering and other regulatory checks*. Quite simply they are scared that some kind of compliance audit or investigation asks for the underlying proof of existence of data. They balance this risk against the cost of storage and cost of falling foul of GDPR regulations and say "uh oh, let's keep it."

          What is needed (with caveats) is a government system-generated hash that proves the underlying document has been eyeballed and this is all that needs to be recorded apart from the textual information contained therein. I know that something like that exists for UK Certificates (the System No. at bottom left), but is everyone that needs to know this aware of it, and can all regulatory bodies unlock that data to double-check it? (Many sources quote the top right hand alpha-numeric code, which is different). Against this, a ne'er-do-well artist can probably hack this data and bluff their way through with it. The GRO System No. is 9 digits long. It must have redundancy checks buit into it to prevent hacks, surely?

          These questions, until definitively addressed, mean that staff will cover their backsides by scanning everything they think may be relevant.

          ===

          I have a suspicion that the reason that a lot of unencrypted image files are out there is due to the use of databases where, yes, the data is encrypted, but the designers have decided that the storage cost and speed of access of incorporating the image files into the actual database is too great, and instead coded in a url to the image file itself.

          *In reality, that is all companies!

    2. OptimisticTim

      Re: Passport scans and driver's licenses?

      This will be for staff to confirm right for work, and this is required to be kept for two years after the person leaves the company. Apparently people can't be trusted to say they have done the relevant checks...

      1. Roland6 Silver badge

        Re: Passport scans and driver's licenses?

        >This will be for staff...

        So either the company's secure HR system, where such documents should be retained, has been breached; so the hackers also know salary, bank details and other information that would facilitate identity theft... Or GDPR information is being kept in emails or on company internally open storage.

        1. Anonymous Coward
          Anonymous Coward

          Re: Passport scans and driver's licenses?

          >the company's secure HR system

          They'll probably have been stored on a network share, likely open to 'authenticated users' or some other such group.

      2. Cav Bronze badge

        Re: Passport scans and driver's licenses?

        "Apparently people can't be trusted to say they have done the relevant checks..."

        I don't understand the use of the elipsis in your comment. People can't be trusted. It's just a fact.

    3. Claverhouse Silver badge

      Re: Passport scans and driver's licenses?

      Why are a water company keeping copies of passport scans and driving licenses?

      .

      Recently, via the miracle of Mailsort * I received some vouchers from JUUL vaping. I never respond to advertising if at all possible, but I decided that as it was a good cause, being smoking-related, I would give it a go.

      Finally after much dreary website form-filling, I was confronted with a demand to upload my Passport, Government I.D, and a self photograph to verify my claimed age.

      At which point I closed the website.

      .

      .

      * In Britain delivered mass advertising that comes with the normal post --- for Usaians and other non-British people, who may not get this glossy junk cluttering their mail-boxes

  7. Anonymous Coward
    FAIL

    Own goal

    > Within a couple of days, Clop updated its website, saying it was South Staffordshire that it attacked, and not Thames.

    I would have liked to be a fly on the wall in those ransom negotiations. :-)

    "Pay us £100,000" ... "No" ... "I'm deleting C:\*.* - soon you will be crippled" ... "I'm waiting" ... NO CARRIER

  8. Anonymous Coward
    Anonymous Coward

    Breach confirmed - data on darkweb

    Initially South Staffordshire Water and their subsidiary Cambridge Water claimed the leaked data was limited to staff.

    However, at end of November 2022, Cambridge Water, finally, admitted that all customers who paid their water bill by direct debit have had all the information stored by Cambridge Water taken ...

    Customer details - account number, name, address, water bill amounts, monthly payment amount.

    Customers' bank details - branch address, sort code and account number.

    I.E. everything needed for ID theft.

    Further, independent checks have shown the data taken is now being traded on the darkweb.

    There have already been reports of Cambridge Water staff having suffered from identity theft.

    What are South Staffordshire Water and Cambridge Water offering to their affected customers ?

    Well there is a FAQ page on their web site.

    A years (just a year) free use of TransUnion's TrueIdentity online monitoring service.

    The usual stock, standard, boilerplate apology.

    However, they are NOT going to pay for customers to register with CIFAS, UK's fraud prevention service. Even though, the administration fee is only £25 for 2yrs.

    Yes I am affected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like