UK water giant admits attackers broke into system as gang holds it to ransom Southern Water confirmed this morning that criminals broke into its IT systems, making off with a "limited amount of data." The Black Basta ransomware group claimed the attack while publishing a snippet of the data it allegedly stole, which included: Scans of identity documents such as passports and driving licenses …
I’ve had to phone up Southern Water before, to discuss a broken drain leading out from my property. They couldn’t help.
Later that day, a local plumber pulled up and asked if I needed any work doing. I asked how he knew and he said “I’ve got a mate who works at Southern Water.”
> You could always report the breach to ICO so they could tell you to switch your water supplier and bugger off...
It would be the same water pipes. The only difference is the logo that appears on the top of your bill. Same goes for the other utilities.
When can we all agree to give up on this fetish of identity? Within 3 years it will be gone anyway: everyone's passports and driving licences will have been stolen because some entity that thinks (or its regulator thinks) it is SO "important" or "critical" that it has to know its customers "real" identity will have leaked the documents necessary to prove identity.
Stop worrying about who people are! There is no problem with the same person having multiple identities if they wish. Or calling themselves whatever they want. That is a basic principle of UK law: your name is what you choose to call yourself. The only valid use of a passport should be to prove your birth identity to a foreign government to allow travel to countries still stuck in the 20th century notion of "identity".
I'm waiting for Yemini hacker accusations. I give it a month tops before America unearths a previously unknown hackorz network.
Not saying there aren't Iranian/Russian/Chinese or North Korean hackers but I am saying it's odd it's nearly always those countries.
> it's odd it's nearly always those countries.
Why it’s odd? If you live in one of those countries and do damage to the West while earning some money, you are safe from prosecution.
North Korea is a special case - you don’t keep the money and you are advised by the government who to attack. In the other 3 you are making money while being safe.
and how do we know it's coming from those countries? The IP address that can be spoofed/routed? An admission that can't be truly traced? Reverse engineering the code and finding use of the language that can be planted?
The simple and obvious fact is that you can never tell who is hacking or where they are. The speculation around some hacker "axis of evil" is purely propaganda for the masses.
Why the hell do Southern Water (or indeed any utility company) need to collect any personally identification? You are buying services from them; the only thing they need to know is (a) an address and (b) that the money keeps coming in. Some sort of customer number to link payments to location might be handy, but that is all they *need* until such time as you wish to terminate their service. At that point, it's reasonable that they require some sort of evidence that *you* are a person who has a right to terminate it (wouldn't want any Tom, Dick, or Harry turning my water off!) but it's *not* reasonable that they keep any such identifiable documentation... yes, send us a scan of your rates bill with your name and address, and we will note on our database that this was the document used to identify you.
What possible reason can there be to gather this sort of identification other than for this final case?
Indeed, they are required to have this data as part of the hiring process. What they aren't required to do is keep this in an easily exfiltrated digital form, and that's where Souther Water show themselves to be complete morons. Any sensitive data that is not routinely used day in day out should either be held in a filing cabinet, or backed up to non-rewriteable storage that's inaccessible unless properly requested and mounted. Granted that won't protect data like salary and routine employee data (address, next of kin, bank details), but even there, why is it not encrypted so that it might be stolen or corrupted, but it can't be spilled? Again, other ways to get at the data, but FFS stop making it easy for the crims.
As usual, there's a lack of incentives for corporations (or public sector bodies) to get this stuff right. Punishment and sanctions apply only after the event by which time it's too late, and it's well observed that stringent penalties don't deter wrong doing (eg financial services, competition law, murder etc), and certainly can't deter incompetence. If the ICO want compliance, they need a new model. Perhaps build a highly competent team of white hats* and start trying to hack every British company (inc operations of multinationals, and government departments), use every trick that crims use, and give the ICO powers of entry to board or leadership meetings to present the findings, with legally enforceable deadlines to fix. Having their board meeting stormed by assertive bureaucrats** telling them what they're going to do would be a very nasty surprise for the goons that infest most boardrooms.
* Start with all the no-mates bedroom hacker brigade, the UK seems to have a credible resource of.
** It'd be a bit like being mauled by a capybara, but it makes sure the message is understood in a way that enforcement letters and regulatory enquiries don't.
Why is it that this sort of information. that is only required by internal people at a company. is not on an internal air gapped network? mechanisms for moving data securely between the internal and external networks are not a challenge to set up. (No Routers) But of course it does require large companies to manage their own internal Internet (intranet) between their sites for personal data. All the remaining nonsense they hold, that relates to their business, could be annonymous, ident linked and therefore could be on the normal internet. Hackers would have to splice wires or break into a site or access very challenging telecoms networks at a lower level... It would also mean companies sharing personal information would probably have to verify that the share was authorised!
Anyone who knows anything about Southern Water should realise their entire operating model is based on breaches. After all, their sewerage network regularly breaches to pour billions of litres of raw sewage into the environment. Their supply network regular leaks everywhere to pour all that critical water (according to Southern Water) all over the roads etc. So, why are we surprised their IT systems leak! It's their entire model of operation.........
I would not consider this as an attack on a utility.
An IT system that was used by the water works was attacked, but this is not different from an attack on the IT system of a supermarket or a garage.
Very few of such attacks impacted the distribution of services (exceptions: Stuxnet, Dark Energy and a few more).
The attack on the "Capital" pipeline: the petrol kept flowing (technically), but if you cannot bill for it, there is a serious busines problem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
