Southern Water
A UK water utility exposed customer data to Black Basta—bank accounts, National Insurance numbers, and home addresses.
What happened?
Southern Water, which provides water and wastewater services to 4.7 million people in South East England, was breached by the Black Basta ransomware group. The attack, which occurred in January 2026, exposed personal data of over 470,000 customers and employees. The disclosure in March came months after the initial compromise.
What data was actually inside?
Customer names, home addresses, dates of birth, bank account details, National Insurance numbers, and payment histories. Utility companies know where everyone lives—by definition. Combined with banking details and NI numbers, this is everything needed for comprehensive identity theft.
Employee data was also exposed: HR records, payroll information, and internal communications.
Who gets hurt and how?
Over 470,000 customers who have no choice but to use Southern Water for their essential services. You can't switch water providers—you're stuck with whoever services your area. Now their bank details and National Insurance numbers are exposed because their utility company got breached.
The data enables bank fraud, tax fraud, and identity theft. The home addresses confirm where people live—essential infrastructure data now in criminal hands.
What did they think they were doing right?
Southern Water is critical national infrastructure, regulated by Ofwat and subject to various UK cybersecurity requirements. They have IT security programs, compliance frameworks, and presumably board-level oversight of cyber risk. Water utilities are supposed to be secure—they're essential services.
Being critical infrastructure makes you a high-value target. It doesn't make you more secure.
What did they not know about their own data?
Southern Water didn't know how accessible their customer data was across their systems. Utility companies have complex IT environments: billing systems, operational technology, customer service platforms, and legacy infrastructure. Each system touches customer data. Each integration point is a potential vulnerability.
They knew they had customer data. They didn't know Black Basta could access all of it.
What does attribution look like the morning after?
Notification to 470,000+ customers. Reporting to the ICO under GDPR/UK data protection law. Media coverage as a critical infrastructure breach. Parliamentary questions about utility sector security. Black Basta publishing data when ransom demands weren't met.
For utilities, breaches have regulatory consequences beyond data protection—Ofwat and NCSC involvement adds layers of scrutiny.
What would have changed the outcome?
Knowing where customer data and NI numbers live across all systems.
If Southern Water had mapped their sensitive data—customer records, banking details, National Insurance numbers—across their entire infrastructure, they could have prioritized protection and detected anomalous access. Utilities know they have customer data. They don't always know how exposed it is until ransomware groups demonstrate it.
Don't Learn What You Have From an Attacker
Southern Water didn't know what customer data was at risk until Black Basta showed them. Risk Finder shows you first.
Start Your Risk Assessment