Victims 'violated' after water firm's data breach

"Violated" and being "unable to trust" have been the feelings plaguing victims of a cyber attack on a Midlands-based water company.

The personal data of 633,887 people was stolen and published on the dark web, after South Staffs Water was hacked in 2020.

Customers said they faced a deluge of scam emails and had their identities cloned so mobile phones could be taken out in their name.

The corporation said it "remained focused on learning from this incident and maintaining strong safeguards across the group".

The cyber attack may have been four years ago, but for Chris Durham of Halesowen, its impact continues to linger.

"Not long afterwards, I had two phone contracts taken out in my name, one of which was a very expensive iPhone from somewhere in London," he recalled.

The 53-year-old had received emails to say a brand new phone he had not ordered was about to be delivered.

After reaching a dead end with the service provider, he resorted to contacting the delivery firm to try and intercept the package from being sent to the scammers. In this case, one of the devices was being sent to Redbridge in north-east London.

"I could only delay it from being delivered for a couple of days, I couldn't stop it," Durham explained.

"Eventually, the service provider believed it wasn't me, but they wouldn't give me my money back. Instead they took it from my monthly payments.

"I only had a £14-a-month pay-as-you-go SIM, but after the hack they started taking £60 from my bank each month.

"It took me months to get my money back. I was frustrated, stressed and violated. I was robbed."

South Staffordshire, made up of South Staffordshire Plc and South Staffordshire Water Plc, was ordered to pay £963,900 by the Information Commissioner's Office (ICO) following the cyber attack, which was traced back to September 2020.

The watchdog and water company agreed to a voluntary settlement and South Staffordshire made an early admission of liability, agreeing to pay the penalty without appeal.

Durham added: "It's made me feel paranoid, I'm constantly thinking, 'What is going to come next?'. I'm constantly looking at my bank account looking to see if anything unusual has happened.

"I don't trust anyone now after that, when people call you they could be calling for something good but you lose trust."

A phishing email was used to launch the water company's hack, which allowed the cyber attackers to install malicious software. It remained undetected within the organisation's systems for 20 months.

Between August and November 2022, South Staffordshire discovered more than 4.1 terabytes (TB, each equal to 1,000GB) of data were published on the dark web. They included bank details of customers and National Insurance numbers of staff.

For customer Nigel Calladine, 75, from Staffordshire, a fine is not enough of a punishment for failing to bring in adequate security controls.

"The people who pay the fine are the people who were hacked, so the customer loses out twice," he said.

"My email inbox was just full of phishing and it lasted for six months. I had to change my email address, bank accounts, everything.

"A significant number of South Staff Water's customers, like ourselves, are not on the mains so we pay twice, we pay for fresh water, and we pay for effluent but we don't get any effluent removal we have to pay for that again."

South Staffordshire Plc said it placed dedicated advisors throughout the incident to support affected customers and offered access to a free credit monitoring service.

A spokesperson added: "We have invested significantly to further strengthen our cyber security resilience, governance and monitoring, and we continue to enhance our capabilities as the threat landscape evolves. Protecting customer and employee information is a responsibility we take extremely seriously."

If you think you may have been a victim of a scam, BBC Action Line has advice and links to websites of groups who may be able to help.

Follow BBC Stoke & Staffordshire on BBC Sounds, Facebook, X and Instagram.