Veolia North America and Southern Water hit by ransomware attacks, data breach concerns arise

Veolia North America’s Municipal Water division has reportedly experienced a ransomware incident that has impacted certain software applications and systems. In response, the company’s IT and security incident response teams have swiftly mobilized and are actively collaborating with law enforcement and other third parties to investigate and resolve the incident. Similarly, Southern Water, a U.K. water company, has acknowledged that cybercriminals have claimed to have stolen data from some of their IT systems.

“In response to this incident, we implemented defensive measures, including taking the targeted back-end systems and servers offline until they could be restored. As a result, some customers experienced delays when using our online bill payment systems. Those systems are working normally again,” Veolia said in its statement. “Any payments made during this event have been applied, and customer accounts should reflect the most updated information. Customers will not be penalized for late payments or charged interest on their bills due to this service interruption.”

The company identified that the incident seems to have been confined to its internal back-end systems at Veolia North America, and there is no evidence to suggest it affected its water or wastewater treatment operations.

“In the course of our investigation, we have identified a limited number of individuals whose personal information was potentially impacted,” the company said. “Those individuals who may have been impacted by this incident will be contacted directly by Veolia and provided additional information and assistance. Your trust is a top priority for Veolia, and we deeply regret any inconvenience this may cause.” 

Veolia added that it is partnering with a third-party forensics firm to conduct a thorough investigation of the incident and to examine additional measures we can take to help prevent incidents of this kind in the future. “We are putting our full resources behind these efforts.”

Southern Water, a private utility company said that it “had previously detected suspicious activity, and had launched an investigation, led by independent cyber security specialists,” it disclosed on Tuesday. “Since then, a limited amount of data has been published. However, at this point, there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally.”

Southern Water has “informed the Government, our regulators, and the Information Commissioner’s Office; and we are closely following the advice of the National Cyber Security Centre (NCSC) as our investigation continues.”

It added that if, through the investigation, “we establish that customers’ or employees’ data has been stolen, we will ensure they are notified, in accordance with our obligations.”

News reports have indicated that the Black Basta ransomware group claimed the attack while publishing a snippet of the data it allegedly stole, which included scans of identity documents such as passports and driving licenses; documents that appear to be HR-related, displaying the personal data of what could be customers, including home address, office address, dates of birth, nationalities, and email addresses; and corporate car-leasing documents exposing personal data.

In November, Resecurity published data that noted in the context of the Ukraine war, the most geopolitically noteworthy attacks include the steady stream of intrusions by cyber hackers like BlackCat/ALPHV, Qilin, and Black Basta targeting energy installations and refining hubs in the low countries, Switzerland, Italy, and Germany. “Germany, once the engine of the European economy, has been particularly hard hit by the transition away from Russian natural gas imports that has resulted from war-related sanctions,” it added.

With the recent ransomware attacks on Veolia in the U.S. and Southern Water in the U.K., Tom Marsland, vice president of technology at Cloud Range, said in an emailed statement that to be clear, neither company had their ICS (industrial control systems) and OT (operational technology) systems disrupted, to their knowledge, and has no indication the threat actors jumped that gap. “This is good news. However, this goes to emphasize the need to be a hard target. Securing your assets includes your normal corporate assets. As I said in my predictions for 2024, companies providing OT services will be a higher target, and every networked machine provides a possible avenue for intrusion.”

Marsland pointed to the recent U.S. CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency (EPA) joint Incident Response Guide for the Water and Wastewater Systems (WWS) sector. “Organizations in this sector that have been breached should read the guidance and incorporate it into their best practices. There is a lot of good information there that can help validate attacks and gather information,” he added.

Commenting on the Southern Water cyber attack, Jamie Akhtar, co-founder and CEO at CyberSmart said in an emailed statement “Although we don’t know the source of the breach yet, this story is the perfect illustration of how modern corporate structures and supply chains pose a security risk. The fact that some of the documents leaked are branded with Greensands logos – the parent company of Southern Water – suggests that the breach could have happened through any number of Southern Water’s subsidiaries or suppliers. 

“Alongside this, the attack on Southern Water is part of a growing trend,” Akhtar identified. “We’ve seen the water industry become an increasingly regular target for cybercriminals in recent months. This is due to the high level of risk associated with the sector, both in terms of the sensitive data it processes and the vital work it performs, and its inability (due to resources) to adequately protect itself.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.