The Southern Water cyber attack highlights the wave of threats faced by utilities companies

Birds eye view of a water treatment plant
(Image credit: Getty Images)

The hack of Southern Water by a notable ransomware group has highlighted the increasing risk to the water industry from cyber criminals, security experts have said.

Black Basta has claimed the attack, saying that if an unspecified ransom is not paid it will leak the stolen data on February 29. It claims to have stolen 750GB of sensitive data, including passports, ID cards, and the personal information of some employees.

Southern Water said it had already detected suspicious activity, and that it had launched an investigation, led by independent cyber security specialists.

"Since then, a limited amount of data has been published. However at this point there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally," it said.

"If, through the investigation, we establish that customers' or employees' data has been stolen, we will ensure they are notified, in accordance with our obligations."

The Southern Water cyber attack isn't an isolated incident

The water industry, along with other infrastructure, has increasingly been a target for ransomware operators over the last few years.

Late last year, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of the active exploitation of Unitronics programmable logic controllers (PLCs), used extensively across the water sector.

The alert was followed a few days later by a warning from the UK's National Cyber Security Centre (NCSC), which described an 'enduring and significant’ threat.

Tim West, head of cyber threat intelligence at WithSecure, said the industry represents a ripe target for threat actors, with ‘hacktivist’ groups in particular ramping up attacks against operators in the space.

"While there have been hacktivist attacks on the water sector in recent months, many financially motivated actors have intentionally avoided interfering with critical national infrastructure such as water supplies, so as not to draw too much attention from law enforcement," he said.

"However, water companies also hold huge amounts of PII which not only has value on the dark web, but is excellent leverage for cyber attackers when demanding a ransom."


Black Basta is one of the smaller ransomware groups, and was first observed in 2022. It employs a ransomware as a service (RaaS) model, and uses a double extortion technique, stealing sensitive company data, threatening to release it, and advertising the data on the dark web.

"Stolen data usually ends up being sold on the dark web and can be used to commit further crimes such as identity fraud," said Rob Bolton, VP EMEA at Versa Networks.

"Paying ransom demands is no guarantee that stolen data will be returned, and it will only help fund future ransomware activity. Ransomware gangs have been known to still keep a copy of the data, as well as come back with further extortion fees."

According to research late last year by Elliptic and Corvus Insurance, Black Basta has netted at least $107 million in Bitcoin ransom payments since early 2022, and has attacked 329 victims, including Capita, ABB and Dish Network.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.