South Staffs Water - Customers Criminal Cyber-Attack.

Barlow99

Hi, I have today received notification from South Staffs Water that due to a cyber attack back in August that my banking details and personal details are now accessibly via the dark web to criminals. The letter is 6 pages long. One piece of advice is for me to pay £25 to set up Protective Registration with CIFAS. This informs lenders that you think your data could be at risk of fraud, due to this cyber attack. Should I, as the customer, be able to get this paid for by South Staffs? It is no faulty of mine after all? Any feedback be welcome.

Swipe

I would push for them to pay for it. If you get no joy, take it up with your MP.

DullGreyGuy

Are they offering compensation of £25 or more? In which case its not too unreasonable to say that the compensation should be used to fund the CIFAS registration if you decide to use it. 

ukpobrien31

Evening All,

I am after some advice about this, please. I received the letter today and just read through it. No apology for the breach, just almost blaming us, the customer and what steps WE can take to avoid fraudulent activity!!!! The letter says that the "impacted data" included names and address of customers - alongside sort codes and account numbers.

On their company website, the managing director 'apologised' for the incident, although the letter expressed "regret" and did not actually say sorry. It then goes on to say "Consumers can have complete confidence that the water we supply is safe." !!!!! WHAT!!!!! It's not the water that has been hacked, it's our personal financial details.

The letter is very frustrating. The managing director keeps trying to minimise the issue and even takes the opportunity to remind customers to 'always be vigilant of fraud and wary of anyone who asks you for personal information.' !!!!!!!!!!!!!!!!!!!!!!!!

The letter said: "The investigation found data related to some of our current customers who pay for their water bill via direct debit was accessed by the group responsible for the attack and was subsequently published on the part of the internet not accessible via search engines - known as the dark web."

I mean, where do I stand legally? Is there anything that can be done, or have they covered themselves from a GDPR point of view in terms of following the steps necessary, whatever they are?

Kind Regards,

Patrick.

billy2shots

ukpobrien31 said:

Evening All,

I am after some advice about this, please. I received the letter today and just read through it. No apology for the breach, just almost blaming us, the customer and what steps WE can take to avoid fraudulent activity!!!! The letter says that the "impacted data" included names and address of customers - alongside sort codes and account numbers.

On their company website, the managing director 'apologised' for the incident, although the letter expressed "regret" and did not actually say sorry. It then goes on to say "Consumers can have complete confidence that the water we supply is safe." !!!!! WHAT!!!!! It's not the water that has been hacked, it's our personal financial details.

The letter is very frustrating. The managing director keeps trying to minimise the issue and even takes the opportunity to remind customers to 'always be vigilant of fraud and wary of anyone who asks you for personal information.' !!!!!!!!!!!!!!!!!!!!!!!!

The letter said: "The investigation found data related to some of our current customers who pay for their water bill via direct debit was accessed by the group responsible for the attack and was subsequently published on the part of the internet not accessible via search engines - known as the dark web."

I mean, where do I stand legally? Is there anything that can be done, or have they covered themselves from a GDPR point of view in terms of following the steps necessary, whatever they are?

Kind Regards,

Patrick.

How much do you want?

MattMattMattUK

ukpobrien31 said:

I mean, where do I stand legally? Is there anything that can be done, or have they covered themselves from a GDPR point of view in terms of following the steps necessary, whatever they are?

The ICO will oversee their response to the data breach. They have reported to the ICO, they will be fined, they will have to change/upgrade their systems, they may be required to provide CIFAS protective registration to people who were part of the data breach. 

What you do is keep an eye on your credit files as everyone should do and carry on as normal. 

FreedomBringsPeace

Apparently tberes been a serious data breach at south staffordshire water. Alot of staff and customers data is now visible on the dark web, im quite concerned about this. What do i do if anything? 

MorningcoffeeIV

You don't need to do anything.

CKhalvashi

If you are personally affected it will be recommended to change any passwords, including those that use the same login details as those for your water account.

In future I'd recommend using a throwaway email account that forwards to your main one to ensure you are free from spam, I've done this for years.

Other than this at this stage there isn't a lot that can be done.

p00hsticks

Have you actually received a letter from South Staffs Water ?

I understand from this article that they've written to al lthose customers potentially affected advising them what steps to take.

https://www.computerweekly.com/news/252527832/South-Staffs-Water-customer-data-leaked-after-ransomware-attack

(From this report it, It sounds like a bit of a botch job on the part of the hackers - they actually hacked South Staffs but made their ransom demand to Thames water, and were then bemused when Thames didn't respond to them!)  

Keep_pedalling

I had the letter this morning (Cambridge Water customer). Not worried about passwords as I don’t have have one with them.