South Staffordshire Water has begun alerting affected customers about the leak.
The firm, which serves more than 1.7 million residential and commercial customers in Cambridge, parts of the West Midlands and Staffordshire, was hit with a ransomware attack in August.
The attack was carried out by Cl0p group in a slightly botched style, as the group seemed to believe it was extorting Thames Water. The group said Thames Water had ignored its ransom demands, which was not surprising given that the company had not actually been attacked.
Customers of Cambridge Water and South Staffs Water were left concerned after learning that the data stolen from South Staffordshire Water included their names, current addresses, sort codes, and account numbers.
It is believed that the customers affected are some of those who pay by Direct Debit.
Customers are now being warned via letter that fraudsters could attempt to use the stolen data to commit fraud, particularly by submitting fraudulent Direct Debit mandates to their bank or building society.
‘Investigations like this are very complex and it takes time to understand what happened and then to analyse the data that could have been impacted,’ South Staffordshire Water said.
‘As soon as we were aware that we needed to notify our customers in compliance with our legal obligations we began to do so.’
The company is providing customers whose information may have been compromised with free access to a credit monitoring service for a period of one year. The service should notify customers if their personal information has been exposed on the dark web.
The company claimed that although its corporate IT network had been disrupted, it was still able to provide safe water.
“Consumers can have complete confidence that the water we supply is safe,” said managing director Andy Willicott.
“We understand that customers trust us to keep their data safe and I’d personally like to say sorry to all those customers impacted – we’ll be doing what we can to support you through this. We will continue to invest in protecting our customers, our systems and our data.”
Given that the attack occurred in the summer, customers have expressed concern about the length of time it took to inform them of the data that had been stolen and published.
“It’s absolutely disgraceful that customers are only finding out about this data breach (and that out details are now on the dark web) four months afterwards,” one customer wrote on Twitter.
Some customers were upset that the letter they got from the managing director had “barely an apology” from the company.
Willicott wrote in the letter: “We regret the concern this may cause you and will do all we can to support you.”
One customer told Birmingham Live: “I really didn’t need this! I am busy working a new job, I am in the process of buying a house with my partner, and now I am alarmed that criminals could have access to my bank details.”
“What’s more, the letter is frustrating. The managing director keeps trying to minimise the issue and even takes the opportunity to remind me to ‘always be vigilant of fraud and wary of anyone who asks you for personal information’.
“I am careful! I wish private companies were more careful with their customer’s data. I wish the Government would step in to regulate or even take over these companies to be honest.”
Read More: news.google.com