South Staffordshire Water, which supplies water for more than 1.7 million people in England, has said that an attempted ransomware attack in August may have enabled cybercriminals to steal customer bank details.
At the time of the incident the company stressed that water supply was not affected, although its corporate network was experiencing disruptions. The company said in an update on Wednesday that customers who paid by direct debit may have had their bank details stolen.
“Since the incident, we’ve been working with leading forensic experts to investigate fully what happened. Our investigation has now found that the incident resulted in unauthorized access to some of the personal data we hold for a subset of our customers,” the company announced.
The affected details include the names and addresses associated with customers’ accounts as well as the bank details (account numbers and sort codes) used to set up direct debit payments. South Staffs said it is writing letters to the affected customers.
The company also said it had notified a number of regulatory bodies, including the National Crime Agency, National Cyber Security Centre, and the water services regulation authority Ofwat.