Southern Water says Black Basta ransomware attack cost £4.5M in expenses

United Kingdom water supplier Southern Water has disclosed that it incurred costs of £4.5 million ($5.7M) due to a cyberattack it suffered in February 2024.

Southern Water is a private utility company in southern England, providing water services to 2.7 million customers and wastewater services to over 4.7 million customers across Kent, Sussex, Hampshire, and the Isle of Wight.

The company supplies 570 million liters of water through a 13,973 km network daily and manages 1,522 million liters of wastewater via a 40,058 km sewer system.

Roughly a year back, Southern Water announced that it suffered a security breach, which didn’t impact its operations, financial systems, or customer-facing systems.

The attack was claimed by the Black Basta ransomware gang, a notorious threat actor known for not hesitating to attack critical infrastructure.

The company’s financial report, first seen by DataBreaches.net, determines the cost of the Black Basta attack to be around £4,500,000 (page 98). 

“In February 2024 we announced that data from a limited part of our server estate had been stolen through an illegal intrusion into our IT systems,” reads the report.

“We engaged external cyber security experts and legal advisers in response, as well as contacting anyone whose personal data may have been at risk.”

“We have incurred £4.5 million in responding to this exceptional incident during the year.”

For perspective, the amount is the same as Southern Water paid for pollution management operations last year, not accounting for the reputational damage, legal fees, and potential regulatory scrutiny that may accompany cybersecurity incidents.

Southern Water claims that it has contracted cybersecurity experts to continually monitor the dark web for data leaks impacting them or their clients, which has not occurred yet.

Meanwhile, analysis of the leaked internal chat logs from the Black Basta ransomware gang revealed that the water treatment company allegedly proposed to pay the ransomware actors £750,000 ($950k) on February 12, 2024.

Although the attackers initially demanded a payment of $3,500,000, by the end of February 2024, the company’s entry was removed from Black Basta’s extortion site, indicating that the two might have reached some agreement.

When asked by The Register if the company paid the ransomware gang, a spokesperson repeated past statements that did not clarify anything.