British utility Southern Water has declined to comment on claims that it paid a £750,000 ransom in 2024 after an attack on its IT systems that affected 10% of its customers. But The Stack can reveal that the incident cost the company over £4.5 million in remediation and other costs.
The Register spotted the £750,000 ransom proposal in leaked chats from the Black Basta ransomware group. Asked by the publication whether it had indeed paid this ransom, Southern Water (which in 2020 was fined a record £90 million by regulators for what a judge described as “shocking and wholesale” criminal pollution), declined to answer it directly.
"As soon as we became aware, over a year ago, of an illegal intrusion affecting our IT systems (not affecting our operations or services to customers), we informed all relevant bodies, including NCSC and Defra. We and our advisers worked closely with NCSC throughout the incident,” the utility told our friends at El Reg, dodging a question on the ransom.
Ransomware attack costs revealed
In its annual report the utility noted that “in February 2024 we announced that data from a limited part of our server estate had been stolen through an illegal intrusion into our IT systems… We have incurred £4.5 million in responding to this exceptional incident during the year," it added.
That makes it the latest company to put a hard number on how much damage a ransomware attack can do. Shipping firm Expeditors said a ransomware attack cost it $60 million in 2022; outsourcer Capita took a £20 million hit from a ransomware attack in 2023; and health insurance firm Change Healthcare’s CFO John F. Rex told investors in July that a ransomware attack on the company will cost it $2.45 billion – with "direct response" costs hitting $776 million. (That’s a pretty brutal price to pay for an attack that happened because a Citrix appliance didn’t have MFA.)
Southern Water says of the ransomware attack that “we estimate [it] affected around 10% of our customers” and adds in its annual report that “as a mature company, our digital estate needs continual maintenance and improvement to deliver the required capability across the business.”
The company says it is working towards, quote:
• "Business continuity processes reducing impact on digital systems.
• "Active programme for migration of services off legacy infrastructure and onto new fully managed infrastructure.
• "Migration of critical and core service applications to new data centres.
• "Enhanced digital general controls following alignment to the NIS – CAF.
• "Continued investment in cyber threat mitigation strategies in response to the ever-changing risk landscape".
The leaked Black Basta logs show that the ransomware group first tried to extort $3.5 million from Southern Water following the attack in January 2024, with a negotiator ultimately trying to get them to settle for $750,000 January 2024 attack. Subsequent chat logs suggest that the company paid.
The news comes as the utility today confirmed that it would be attempting to raise £900 million of new equity by June 2025. It also revealed that it would be appealing regulator Ofwat's "final determination" which in December 2024 set a limit on how much it could raise bills. The equity raise will let it "continue with planned investments in new infrastructure and performance improvements, maintaining the urgency and pace of change. While supporting our operational and investment process, and our Turnaround Plan, our shareholders have received no dividends since 2017, and have injected £1.65 billion of new equity funding between 2021-24," it added.
