Lawyers have advised Cambridge Water customers they could have the potential to lodge “substantial claims” for compensation after a data breach.
Sean Humber, a data breach specialist, and partner at Leigh Day said: “This is a large and serious data breach.
“As the water companies themselves accept, the disclosure of sensitive financial information leaves affected customers vulnerable to fraud by criminals.
“If the water companies’ failed to take adequate steps to keep customers’ personal data safe, then those affected are likely to be entitled to compensation for the distress and anxiety caused by the breach as well as any financial losses that they may have suffered.”
Leigh Day says potential claims could be made by customers not only of Cambridge Water but also of South Staffs Water which had similar breaches.
The law firm says that customers’ personal information, including bank account details, have been hacked and published on the darknet.
In August 2022, South Staffs Water and Cambridge Water, announced that it had been victim of a cyber-attack and stated that there was some disruption to its corporate IT network.
These water companies provide water to over a million and a half people in England.
Responsibility for the cyber attacked was claimed by the East European ransomware group C10p (Clop) who stated that they had taken over 5 TB (terabytes) of data.
C10p posted a raft of stolen documents, including screenshots of identification documents, such as passports and driving licences, as well as details of the software systems used to monitor and control water treatment on its darknet site.
South Staffs Water and Cambridge Water reported the matter to the National Cyber Security Centre, National Crime Agency and the Information Commissioner’s Office and were also instructing their own IT security experts to investigate the matter.
On 29th November 2022, South Staffs Water and Cambridge Water published a further statement saying, “our investigation has now found that the incident has resulted in unauthorised access to some of the personal data we hold for a subset of our customers.”
Gene Matthews, a partner at Leigh Day, said: “This is likely to be an uncertain and deeply worrying time for those affected.
“Our own investigations, confirm that a considerable amount of information from this data breach is now on the darknet.”
Leigh Day advice that if you have been affected by this data breach and wish to discuss, in complete confidence and without any obligation, bringing a claim for compensation on a “no win, no fee” basis then contact Sean Humber or Gene Matthews on 020-7650-1200.
Andy Willicott, managing director of South Staffordshire PLC – the parent company of Cambridge Water – has apologised to customers.
Mr Willicott said: “We understand that customers trust us to keep their data safe and I’d personally like to say sorry to all those customers impacted – we’ll be doing what we can to support you through this.
“We will continue to invest in protecting our customers, our systems, and our data.”
In a statement, Cambridge Water said: “The incident resulted in unauthorised access to some of the personal data we hold for a subset of our customers.
“If customers do not receive a notification letter from us, then they do not need to take any action at this stage.”
A “dedicated helpline” has been set up for affected customers.
Two customers contacted the BBC about the data breaches.
Richard Vaughan of Foxton told the BBC that the theft left him “feeling vulnerable”, while Sharon Bates, from St Ives, said her parents, aged 89 and 96, received the letter, which had caused “sleepless nights”.
“If customers do not receive a notification letter from us, then they do not need to take any action at this stage.”
A “dedicated helpline” has been set up for affected customers.
The National Crime Agency, the Information Commissioner’s Office and water inspectorates had been notified, the company added.
Cambridge Water says: “In August, we announced that South Staffordshire PLC, the parent company of Cambridge Water, had been the target of a criminal cyber attack. We are writing to customers who have been impacted, so that they can take appropriate action. If you do not receive a letter from us, then you do not need to take any action at this stage. For further information, please visit our support page. “