No Pressure: Water Utility Drips Alert 4 Months After BreachSome Customers at Risk of Identity Theft, South Staffordshire Water Belatedly Warns
Is a four-month delay between learning your systems were breached and notifying affected customers acceptable?
South Staffordshire Water in England this week began warning customers that their personal details were exposed in a data breach, elevating their risk of identity theft. The privately owned utility serves 1.7 million Britons but won't say how many were caught up in the breach, which occurred in July, the company confirmed in August.
That delayed acknowledgment happened after the Cl0p ransomware group had already taken responsibility, albeit after first erroneously fingering Thames Water Utilities as the victim. Subsequently, South Staffs Water issued a data breach notification, confirming that it was the victim, as data leaked by Cl0p suggested (see: Comedy of Errors: Ransomware Group Extorts Wrong Victim).
"Consumers can have complete confidence that the water we supply is safe," says Andy Willicott, managing director of South Staffs Water. "We understand that customers trust us to keep their data safe and I'd personally like to say 'sorry' to all those customers impacted - we'll be doing what we can to support you through this."
The utility says its investigation, which involves third-party digital forensic experts, is ongoing. "Our investigation has now found that the incident resulted in unauthorized access to some of the personal data we hold for a subset of our customers."
South Staffs Water is notifying victims through physically mailed notices, and the company says that due to ongoing Royal Mail strikes, the notifications might take some time to arrive. "The data affected in the incident was the name and address of the water account holder, together with the sort code and account number used for the Direct Debit and other information needed to operate your water account," it says.
Notification: How Fast Is Fast Enough?
What took the organization so long to begin notifying victims? South Staffs Water hasn't issued a clear explanation.
Instead, it says via an FAQ: "Investigations like this are very complex and it takes time to understand what happened and then to analyze the data that could have been impacted. As soon as we were aware that we needed to notify our customers in compliance with our legal obligations, we began to do so."
Under the U.K. version of the General Data Protection Regulation, organizations that suffer a breach that "is likely to result in a high risk to the rights and freedoms of individuals" - for example, because their personal information was exposed - are required to inform victims as quickly as possible. "Without undue delay," is how guidance issued by Britain's privacy watchdog, the Information Commissioner's Office, characterizes it.
South Staffs Water says that "as soon as we discovered the incident, we notified the Information Commissioner's Office in line with our legal obligations and have been keeping them updated as our investigation progressed." It has also been working with the National Cyber Security Center and the National Crime Agency.
Under the GDPR, a British organization that suffers certain types of breaches must notify the ICO "within 72 hours of becoming aware of the breach, where feasible," it says.
The ICO didn't immediately respond to a request for comment about whether the four-month timeline for notifying victims in this case was acceptable or if the utility should have moved more quickly.
Data breach experts have told me giving notice within 30 days of discovering a breach is a good benchmark. That gives the organization time to investigate and provide actionable information to anyone at risk, for example, of identity theft or fraud (see: Data Breach Notifications: What's Optimal Timing?).
South Staffs Water says it is offering victims a prepaid 12-month subscription to TransUnion's TrueIdentity credit monitoring service. "Beyond that time, there are free credit monitoring services available, such as ClearScore, which we recommend you consider," it says. TransUnion's Cyberscout service has also been hired to provide a telephone support line for victims.
Expanded Network and Information Systems Regulations
The belated breach alert comes as the U.K. government has signaled that it plans to require more critical infrastructure utilities to improve their cybersecurity posture.
Specifically, the Tory government led by Prime Minister Rishi Sunak plans to advance legislation that will lead to the country's Network and Information Systems regulations being "strengthened to protect essential and digital services against increasingly sophisticated and frequent cyberattacks both now and in the future." It says the proposed legislation will make the regulations applicable to "essential everyday services, such as water, energy and transport."
What this will mean in practice so far is about as clear as the breach notification from South Staffs Water. But the government says it wants to revise NIS to make covered organizations have to notify regulators about "a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don't immediately cause disruption."