South Staffs Water data breach victims may be in line for compensation

Data protection experts at law firm Leigh Day are currently investigating claims on behalf of 1,418 clients in the West Midlands and more than 5,000 people nationally.

They believe those affected could each be entitled to compensation of more than one thousand pounds.

The breach was first announced in August last year when South Staffs Water and Cambridge Water said it had been victim of a cyber-attack and that there was some disruption to its corporate IT network.

In November 2022, the water companies announced that the investigation “has now found the incident has resulted in unauthorised access to some of the personal data we hold for a subset of our customers”.

Letters were sent to some affected customers at this time notifying them that the personal data affected included the name and address of the account holder together with bank details used for direct debit payments as well as “other information needed to operate your water account”.

In the letter, the water companies also confirmed that the data had been published on the darknet, stating: “There is a risk that criminals may try to use this compromised data to carry out fraud, in particular by submitting fraudulent direct debit mandates to your bank or building society.”

The water companies then sent out further different letters in January to other affected customers who had not previously been contacted. These letters also confirmed that these customers’ personal information had been breached and published on the darknet but were less clear about the data affected, including whether this included the customers’ bank details.

East European ransomware group C10p (Clop) have claimed responsibility for the cyber attack and posted a host of stolen documents, including screenshots of identification documents, such as passports and driving licences, as well as details of the software systems used to monitor and control water treatment on its darknet site.

The Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection and information rights law, has confirmed that its investigations into the data breach are continuing.

Sean Humber, a data breach specialist and partner at Leigh Day who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information, said: “This is a large and serious data breach.

"As the water companies themselves accept, the disclosure of sensitive financial information leaves affected customers vulnerable to fraud by criminals.

“We are continuing to investigate claims by those affected by the data breach against the water companies for compensation for any distress or financial losses caused by the failure to take adequate measures to keep customers’ personal data safe.”

Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added: “We are extremely pleased over 5,000 affected customers have already signed up with us nationally, including 1418 in the West Midlands, on a “no win, no fee” basis with no up-front payment required. If you have been affected, there is still time to contact us and join the claim.”

South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, announced the attack via a statement.

South Staffs Water provides drinking water to approximately 1.3 million people and has a head office in Walsall.

The mass hack took place on August 16 by criminal hackers who accessed various areas including the IT admin systems.

South Staffordshire Water has been contacted for a comment.