Bank details of South Staffs Water customers have been published on the dark web after a cyber attack. The data breach took place in August and saw cyber criminals steal sensitive information. The firm said the “impacted data” included names and address of customers – alongside sort codes and account numbers. In a letter to those affected, it warned their data could be used in fraud cases. In a statement published on the company website, managing director Andy Willicott personally apologised for the incident – although the letter expressed “regret” and did not say sorry. The firm insisted: “Consumers can have complete confidence that the water we supply is safe.” But the incident stunned customers who received the letter in the past few days. The document gave no details of how the hack beat South Staffs’ security systems.
Breaches like the one affecting South Staffs Water, which has exposed the PII of many customers, unfortunately, happen all too often, but the alarming thing is that they are happening with ever-greater frequency across all industries. Why? This data is so valuable to threat actors for the reasons stated above. The sobering reality is that these breaches don’t necessarily have to happen. Any business that collects PII information needs to understand that they are high-profile targets and assume that a cyber-attack is imminent. IT leaders need to rethink their data security posture, strengthen outdated traditional controls such as border security with next-generation capabilities, and most importantly protect the very data itself that threat actors are after. Data-centric security, such as tokenisation can convert sensitive data to innocuous and incomprehensible information that hackers simply can’t use or compromise, even if they get direct access to it.
The breach highlights how organisations need to be mindful of all types of data they have and ensure it is all protected. While protecting critical systems is important, equally so is customer information. While credit or debit cards can easily be cancelled and re-issued, other personal information such as names, date of birth, address, etc is not so easy to change – and if exposed, can be used by criminals to steal identities, or use the information to scam the victims via phishing attacks.
Ultimately, all data has value – even if data is of low importance, it can be combined with other forms of data to be quite problematic for individuals.