UK water supplier confirms hack by Cl0p ransomware gang
The 'sympathetic' ransomware group originally misattributed the victim as Thames Water


The Cl0p ransomware group has claimed an attack on UK-based utility supplier South Staffs Water after misattributing the attack to a different company.
South Staffs Water confirmed the attack on Monday, saying it was “experiencing disruption to [its] corporate IT network”, but did not state the attack was ransomware in nature.
Cl0p published a trove of stolen documents on its leak blog on Monday, including passport scans, spreadsheets, drivers' licences, screenshots of wastewater treatment software user interfaces, and more.
It also claimed to have access to more than 5TB worth of data belonging to the hacked company which it falsely believed to be Thames Water, despite many of the published documents clearly showing South Staffs Water as the victim.
“Thames Water supply much of critical water services to people and companies,” read a statement from the ransomware gang. “Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems. All systems.
“We spent months in the company system and saw first-hand evidence of very bad practice. This company is all for money and not deliver reliable service,” Cl0p added. “It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.”
It also agreed to not encrypt any of the data belonging to the victim because doing so would violate the group’s policy to not attack critical infrastructure or healthcare organisations, it said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Its unorthodox approach to ransomware saw it allegedly exfiltrate data from the water supplier and request money for its return, rather than locking staff out of their environments.
According to Cl0p, the outside negotiators working on South Staffs Water’s behalf offered a low sum for the data’s return and for information on how it was able to breach the supplier, an amount Cl0p branded a “joke”.
Cl0p said it had access to “every system” including supervisory control and data acquisition (SCADA) software used for managing industrial processes. In this case, Cl0p claimed it had access to the tools that controlled the chemical composition of water supplies.
Although it also said that the supplier ‘does not need to be afraid’ since the group will not maliciously tamper with systems, but warned other groups may not be as sympathetic.
RELATED RESOURCE
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
Ransomware organisations often differ in terms of their philosophies and moral codes. Some outfits like the now-shuttered Conti were open in their amoral approach to ransomware.
The group was well known for being content with attacking big businesses as well as more sensitive organisations like charities and healthcare groups, such as US-based reproductive healthcare non-profit Planned Parenthood.
Ransomware criminals are also known for embellishing the truth of their attacks, sometimes claiming they have access to certain information when perhaps they may have merely seen the files on a drive, rather than stolen them or have the necessary privileges to access them.
Earlier this year, LockBit famously claimed an attack on cyber security giant Mandiant which turned out to be false and merely a PR stunt. Okta also revealed that the attack on the company by LAPSUS$ in March was overblown by the hackers' account of events.
Little information on the attack was offered by South Staffordshire PLC, the parent company of water supplier South Staffs Water, in a disclosure notice.
It confirmed that the company was still supplying water to Cambridge Water and South Staffs Water customers, a combined 1.6 million customers. It said this “is thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”
The company’s customer service teams are operating as usual and the appropriate authorities and regulators have been notified, it added.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Can the UK ban ransomware payments?
ITPro Podcast Attempts to cut off ransomware group profits could instead harm businesses
-
Intel to axe 24,000 roles, cancels factory plans in sweeping cost-cutting move
News Despite better than expected revenue in its Q2 results, the chip giant is targeting a leaner operation
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted