The Walsall-based company, which supplies drinking water to 1.3 million people, has been a victim of a large-scale cyber attack.
In a letter written to employees and customers, the company confirmed that personal data, including bank details, have been compromised following the attack.
In the letter, South Staffordshire Water explained that a ransomware group had hacked into their IT network, subsequently compromising employee and customer data. The identified documents are believed to include employee and customer names, current addresses, and bank details of those who pay by direct debit.
South Staffordshire Water claims to be continuing to assess the full extent of the data impacted, which means there may be additional information belonging to customers who may be affected.
Richard Forrest, legal director at data breach solicitors Hayes Connor, said his team understood that the data stolen in the cyber attack on South Staffordshire Water is visible on the dark web, posing a significant threat to any individuals affected.
“The information that we have received regarding the South Staffordshire Water data breach is very concerning," he said.
"When a company of such large scale experiences a data breach, it means a significant amount of personal data is likely at serious risk of being misused.
“When financial data is in jeopardy, individuals can fall victim to identity or takeover fraud. Criminals can then use this information to extract funds from the victim's bank account, as well as buy products and services, leading to both financial loss and emotional distress.
“It is also worrying that there has been no indication as to how many individuals have been affected so far, especially when you consider the size of the company, and that former employees and customers may also be impacted," said Mr Forrest.
The team at Hayes Connor advises victims to report any fraudulent credit card activity to the police, contact their bank immediately for advice and seek repayment for any lost funds.
Hayes Connor is currently working with 18 of the water company's employees who have been affected by the data breach, with more clients expected to make a claim.
Victims of the attack that would like to become part of the group action claim can call Hayes Connor on 0151 363 5895 or make a claim.
South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, announced the attack via a statement.
South Staffs Water provides drinking water to approximately 1.3m people and has a head office in Walsall.
The mass hack took place on August 16 by criminal hackers who accessed various areas including the IT admin systems.