Cyber Incident Victim: South Staffordshire Water
Date:
Aug 2022
Location:
United Kingdom
Summary
A cyberattack targeting South Staffordshire Water caused IT system disruptions but did not compromise water safety or distribution for its 1.6 million customers, as operational controls remained functional. The Clop ransomware group initially misidentified the victim, falsely claiming to have breached Thames Water and leaking stolen data including SCADA system screenshots, passports, and login credentials—later correcting their extortion site to list the correct entity. Attackers exfiltrated 5TB of data and attempted ransom negotiations during a drought period, likely seeking heightened leverage, though the company maintained service continuity throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 16, 2022, South Staffordshire Water, a UK utility supplying drinking water to 1.6 million consumers daily, confirmed IT system disruptions caused by a cyberattack. The company stated its water safety and distribution systems remained operational, ensuring no immediate impact on supply quality or availability for its customers or subsidiaries Cambridge Water and South Staffs Water. It attributed this resilience to existing robust operational controls and rapid incident response measures implemented as precautions. Service teams continued normal operations, minimizing outage risks. Concurrently, the Clop ransomware gang claimed responsibility for breaching Thames Water, the UK’s largest water supplier, alleging access to SCADA systems that could allegedly endanger 15 million customers. Clop asserted it exfiltrated 5TB of data without encryption, citing Thames Water’s inadequate network security, and leaked samples including passports, SCADA interface screenshots, and driver’s licenses after failed ransom negotiations. Thames Water denied the breach, labeling it a "cyber-hoax" and confirming uninterrupted operations.
Evidence within Clop’s leak, however, implicated South Staffordshire Water. A leaked spreadsheet contained credentials linked to South Staff Water and South Staffordshire email domains, while another document was explicitly addressed to South Staffordshire PLC. This discrepancy suggested Clop either misidentified its target or attempted to pressure Thames Water using falsified data. On August 17, Clop corrected its extortion site to list South Staffordshire Water as the victim. The attack occurred during severe drought conditions, with eight UK regions enforcing hosepipe bans and water rationing, a context potentially exploited to amplify extortion pressure. South Staffordshire Water maintained public assurances throughout, emphasizing no compromise to critical infrastructure or customer safety despite unresolved IT disruptions.