Cambridge Water customers are the latest to be revealed as victims of the South Staffordshire Water cyberattack. Names, addresses, and bank account details of victims have been found on the dark web. The company has warned that criminals could use the data to submit fraudulent direct debit requests from victim accounts.
As reported by Tech Monitor, the cyberattack took place in August, with Russian ransomware gang Cl0p claiming responsibility. It remains unclear whether a ransom for the data was demanded of the water company.
Cambridge Water supplies water to 350,000 residents of Cambridgeshire.
South Staffordshire Water Company attack details leak out
In the months following the attack, investigations were carried out by the company into the breach. Though details of how it happened have yet to be revealed, last week South Staffs Water, Cambridge Water’s sister company, admitted that it had found its customers’ direct debit data being shared on hacking forums.
Today it has been revealed that direct debit details of Cambridge water customers are also being shared on dark web forums. The water company sent out a letter to affected customers.
“We can now confirm that the data of yours that was impacted includes your name and current address, the bank details you provided for your direct debit payments to us and may also include other personal data which we process about you to provide you with clean water and related services,” says the letter, seen by Tech Monitor.
It then goes on to explain the risks that come with the data being exposed. “There is a risk that cybercriminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent direct debits to your bank or building society using the data compromised in the cyberattack.”
The company is offering a year’s subscription to a fraud monitoring service to help customers track whether their details are being used illegally, and has set up a hotline for affected customers.
Tech Monitor has contacted South Staffordshire Water for comment. It has not disclosed how many customers were impacted by the breach.
Cambridge Water data breach: unhappy customers
Those who have been affected by the attack are urged to sign up for the fraud service and to remain vigilant of any signs of wrongdoing on their bank accounts.
However, this package does not appear sufficient to quell the anger of the customers affected by the data leak. One victim who wished to remain anonymous told Tech Monitor, “It’s very scary to think that this information may have been available on the dark web for three months and the first we heard about it was when the letter arrived today.
“Our bank account details could have been compromised by fraudsters and we’ve been left in the dark about it. Cambridge Water has offered us a year’s subscription to an identity monitoring service, but what happens when that expires? It’s not good enough.
They added: “You trust utility companies to look after your data properly and when something like this happens it’s really terrifying. I hope they will provide suitable compensation and a full explanation of how this happened.”
Read more: Why are UK police forces being overwhelmed by cybercrime?
