back to article UK water giant admits attackers broke into system as gang holds it to ransom

Southern Water confirmed this morning that criminals broke into its IT systems, making off with a "limited amount of data." The Black Basta ransomware group claimed the attack while publishing a snippet of the data it allegedly stole, which included: Scans of identity documents such as passports and driving licenses …

  1. wolfetone Silver badge

    "The UK government, regulators, and the Information Commissioner's Office (ICO) have been informed, it went on to say."

    I bet Southern Water can't wait for the wonderful merriment of them doing the square root of fuck all about it.

    1. Necrohamster Silver badge
      Coat

      They're obliged to report the data breach to the ICO, so that a fine/smack on the wrist/etc can be dished out.

      In the words of Chief Wiggum: "We're powerless to help you, not to punish you"

  2. mobailey

    Not the first time my data has been breached by Southern Water

    I’ve had to phone up Southern Water before, to discuss a broken drain leading out from my property. They couldn’t help.

    Later that day, a local plumber pulled up and asked if I needed any work doing. I asked how he knew and he said “I’ve got a mate who works at Southern Water.”

    1. elsergiovolador Silver badge

      Re: Not the first time my data has been breached by Southern Water

      You could always report the breach to ICO so they could tell you to switch your water supplier and bugger off...

      1. t245t Silver badge

        Re: Not the first time my data has been breached by Southern Water

        > You could always report the breach to ICO so they could tell you to switch your water supplier and bugger off...

        It would be the same water pipes. The only difference is the logo that appears on the top of your bill. Same goes for the other utilities.

        1. Richard 12 Silver badge

          Re: Not the first time my data has been breached by Southern Water

          Not even that. They're all absolute monopolies.

        2. katrinab Silver badge
          WTF?

          Re: Not the first time my data has been breached by Southern Water

          Unlike other utilities, you don't have a choice of different billing providers for water.

      2. IGotOut Silver badge

        Re: Not the first time my data has been breached by Southern Water

        "switch your water supplier and bugger off."

        How?

        1. andy_plugh

          Re: Not the first time my data has been breached by Southern Water

          No-one suggested the advice was going to be any use

  3. VoiceOfTruth Silver badge

    For your safety and security

    We will indefinitely retain "Scans of identity documents such as passports and driving licenses". You can be assured our (your) data is as leaky as our pipes.

    1. Mishak Silver badge

      "as leaky as our pipes"

      Is that possible?

    2. Graham Cobb Silver badge

      Re: For your safety and security

      When can we all agree to give up on this fetish of identity? Within 3 years it will be gone anyway: everyone's passports and driving licences will have been stolen because some entity that thinks (or its regulator thinks) it is SO "important" or "critical" that it has to know its customers "real" identity will have leaked the documents necessary to prove identity.

      Stop worrying about who people are! There is no problem with the same person having multiple identities if they wish. Or calling themselves whatever they want. That is a basic principle of UK law: your name is what you choose to call yourself. The only valid use of a passport should be to prove your birth identity to a foreign government to allow travel to countries still stuck in the 20th century notion of "identity".

    3. Snowy Silver badge
      Holmes

      Re: For your safety and security

      Looks like the kind of data that employers need from employees so they can prove they are not employing illegal immigrants'.

  4. Anonymous Coward
    Anonymous Coward

    Iranian attackers are thought to be behind an attack on a Pennsylvania water authority.

    I'm waiting for Yemini hacker accusations. I give it a month tops before America unearths a previously unknown hackorz network.

    Not saying there aren't Iranian/Russian/Chinese or North Korean hackers but I am saying it's odd it's nearly always those countries.

    1. TheMeerkat

      Re: Iranian attackers are thought to be behind an attack on a Pennsylvania water authority.

      > it's odd it's nearly always those countries.

      Why it’s odd? If you live in one of those countries and do damage to the West while earning some money, you are safe from prosecution.

      North Korea is a special case - you don’t keep the money and you are advised by the government who to attack. In the other 3 you are making money while being safe.

      1. Anonymous Coward
        Anonymous Coward

        Re: Iranian attackers are thought to be behind an attack on a Pennsylvania water authority.

        and how do we know it's coming from those countries? The IP address that can be spoofed/routed? An admission that can't be truly traced? Reverse engineering the code and finding use of the language that can be planted?

        The simple and obvious fact is that you can never tell who is hacking or where they are. The speculation around some hacker "axis of evil" is purely propaganda for the masses.

  5. Arthur the cat Silver badge
    Unhappy

    Southern Water

    In a previous incarnation SW were one of our customers. The kindest comment I can make about their manglement is "not impressed". The grunts who actually did the work definitely classed as long suffering.

  6. nijam Silver badge

    > ... making off with a "limited amount of data."

    Would that limit be "the total amount of data that Southern Water have"?

    1. cyberdemon Silver badge
      Holmes

      Standard Procedure

      "A limited amount of water has leaked from our pipes, flooding your property"

      "We dumped a limited amount of raw sewage into your river"

      "A limited amount of the money we borrowed to fix the leaks has been trousered by our executives and shareholders"

  7. Neil Barnes Silver badge
    Big Brother

    Wait a minute...

    Why the hell do Southern Water (or indeed any utility company) need to collect any personally identification? You are buying services from them; the only thing they need to know is (a) an address and (b) that the money keeps coming in. Some sort of customer number to link payments to location might be handy, but that is all they *need* until such time as you wish to terminate their service. At that point, it's reasonable that they require some sort of evidence that *you* are a person who has a right to terminate it (wouldn't want any Tom, Dick, or Harry turning my water off!) but it's *not* reasonable that they keep any such identifiable documentation... yes, send us a scan of your rates bill with your name and address, and we will note on our database that this was the document used to identify you.

    What possible reason can there be to gather this sort of identification other than for this final case?

    1. Mad Mike

      Re: Wait a minute...

      If it's passports and the like, I assume it's current and previous employees. They would be required to check before employing them for right to work. At least the incompetent IT crowd have potentially had their own data sent all over the internet!

      1. Lurko

        Re: Wait a minute...

        Indeed, they are required to have this data as part of the hiring process. What they aren't required to do is keep this in an easily exfiltrated digital form, and that's where Souther Water show themselves to be complete morons. Any sensitive data that is not routinely used day in day out should either be held in a filing cabinet, or backed up to non-rewriteable storage that's inaccessible unless properly requested and mounted. Granted that won't protect data like salary and routine employee data (address, next of kin, bank details), but even there, why is it not encrypted so that it might be stolen or corrupted, but it can't be spilled? Again, other ways to get at the data, but FFS stop making it easy for the crims.

        As usual, there's a lack of incentives for corporations (or public sector bodies) to get this stuff right. Punishment and sanctions apply only after the event by which time it's too late, and it's well observed that stringent penalties don't deter wrong doing (eg financial services, competition law, murder etc), and certainly can't deter incompetence. If the ICO want compliance, they need a new model. Perhaps build a highly competent team of white hats* and start trying to hack every British company (inc operations of multinationals, and government departments), use every trick that crims use, and give the ICO powers of entry to board or leadership meetings to present the findings, with legally enforceable deadlines to fix. Having their board meeting stormed by assertive bureaucrats** telling them what they're going to do would be a very nasty surprise for the goons that infest most boardrooms.

        * Start with all the no-mates bedroom hacker brigade, the UK seems to have a credible resource of.

        ** It'd be a bit like being mauled by a capybara, but it makes sure the message is understood in a way that enforcement letters and regulatory enquiries don't.

      2. Anonymous Coward
        Anonymous Coward

        Why no air gaps

        Why is it that this sort of information. that is only required by internal people at a company. is not on an internal air gapped network? mechanisms for moving data securely between the internal and external networks are not a challenge to set up. (No Routers) But of course it does require large companies to manage their own internal Internet (intranet) between their sites for personal data. All the remaining nonsense they hold, that relates to their business, could be annonymous, ident linked and therefore could be on the normal internet. Hackers would have to splice wires or break into a site or access very challenging telecoms networks at a lower level... It would also mean companies sharing personal information would probably have to verify that the share was authorised!

    2. wimton@yahoo.com

      Re: Wait a minute...

      Often, passport data of visitors is also demanded. But, this should not be retained forever.

    3. Anonymous Coward
      Anonymous Coward

      Re: Wait a minute...

      Someone said before, that would be HR data for ensuring your employees can legally work in UK

  8. Mad Mike

    Anyone who knows anything about Southern Water should realise their entire operating model is based on breaches. After all, their sewerage network regularly breaches to pour billions of litres of raw sewage into the environment. Their supply network regular leaks everywhere to pour all that critical water (according to Southern Water) all over the roads etc. So, why are we surprised their IT systems leak! It's their entire model of operation.........

  9. t245t Silver badge
    Terminator

    Southern Water confirmed data leak :|

    Is there any combination of hardware and software that could isolate such an IT system from the public Internet?

    1. jake Silver badge

      Re: Southern Water confirmed data leak :|

      Airgap, plus proper security measures on the part of the staff.

      But that would cost profits money ... and The Board wouldn't be able to show real-time graphs to their mates down the pub.

  10. Charlie Stross

    You got the headline wrong

    You should have run with Black Basta ransomware gang breaks into Southern Water IT systems, threatens to dump shit everywhere

  11. Nitromoors

    This looks like internal HR stuff not Customer data. As a Southern Water customer they aren't likely to hold much of this data on me. It's not relevant and I have not provided it.

    1. TimMaher Silver badge
      Facepalm

      Re:- “I have not provided it”

      Look at your bill.

  12. Roj Blake Silver badge

    From the River to the Sea

    Is Southern Water's sewage release policy.

  13. Roger Kynaston
    Unhappy

    Out of every orifice

    It seems that water companies are leaking shit everywhere. I wonder if they outsource their IT to Fujitsu.

  14. wimton@yahoo.com

    I would not consider this as an attack on a utility.

    An IT system that was used by the water works was attacked, but this is not different from an attack on the IT system of a supermarket or a garage.

    Very few of such attacks impacted the distribution of services (exceptions: Stuxnet, Dark Energy and a few more).

    The attack on the "Capital" pipeline: the petrol kept flowing (technically), but if you cannot bill for it, there is a serious busines problem.

  15. Anonymous Coward
    Anonymous Coward

    No evidence that our customer relationships have been affected

    Hardly surprising given that the only realistic impact a customer could have on the relationship is to move to a new property outside of their service area...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like