Southern Water hit for £4.5m after ransomware attack

Southern Water has admitted it has lost £4.5m to date in mitigation for last year’s ransomware attack, in addition to compromising the data of approximately 270,000 customers.

The attack, claimed to have been the work of the Russia-linked Black Basta group, occurred nearly a year ago although until now the utility company has been tight-lipped about the incident.

But in Southern Water’s annual report, the company states: “In February 2024 we announced that data from a limited part of our server estate had been stolen through an illegal intrusion into our IT systems. We engaged external cyber security experts and legal advisers in response, as well as contacting anyone whose personal data may have been at risk. We have incurred £4.5m in responding to this exceptional incident during the year.”

Southern Water services more than 2.7 million customers across Kent, Sussex, Hampshire and the Isle of Wight; some 10% of whom had data compromised by the attack.

Tech website The Register spotted a reference to a $750,000 payment in the thousands of internal messages from the Black Basta gang which were leaked two weeks ago.

When asked to confirm whether this ransom had been paid, Southern Water said: “As soon as we became aware, over a year ago, of an illegal intrusion affecting our IT systems (not affecting our operations or services to customers), we informed all relevant bodies, including NCSC and Defra. We and our advisers worked closely with NCSC throughout the incident.”

The leaked logs indicate that the ransomware group first tried to extort $3.5m from Southern Water following the attack, a negotiator appears to offer $750,000 to the group.

“..the Board is ready to increase our numbers to show you that we’re taking this negotiation seriously and hope to reach an agreement with you sooner rather than later. We’re now offering to pay you **$750,000** in exchange for a speedy resolution of this incident. If this works for you, we’ll be happy to proceed further with next steps. So, please let me know.”

It is unclear whether this ransomware was ever paid.