U.K.-based water utility Southern Water has confirmed that hackers stole the personal data of as many as 470,000 customers in a recent data breach.
Southern Water, which provides water and wastewater services to millions of people across the South East of England, said in a statement on Tuesday that it plans to notify “5 to 10 percent” of its customer base that they had personal information stolen by hackers during a cyberattack in January.
The utility giant declined to say exactly how many individuals are so far affected. Simon Fluendy, a spokesperson for Southern Water, told TechCrunch that the company has approximately 4.7 million customers, and did not dispute that between 235,000 and 470,000 customers had data stolen.
Southern Water notes that the “5 to 10 percent” figure is based on its ongoing forensic investigations, suggesting the actual number of individuals affected could be higher.
Southern Water declined to say what data was stolen. BBC News reports that hackers accessed customers’ dates of birth, national insurance numbers, bank account details and reference numbers.
Southern Water said it also planned to notify “all of our current employees and some former employees” about the breach of their personal information. In its latest annual report, Southern Water says it has approximately 6,000 employees.
The January cyberattack on Southern Water, which the company first disclosed on January 23, was claimed by the Black Basta ransomware group, a Russia-linked gang that last year took responsibility for a hack on U.K. outsourcing giant Capita.
Southern Water has not yet commented on the specifics of the incident or how its systems were compromised.
Black Basta listed Southern Water on its dark web leak site soon after the cyberattack last month and claimed to have stolen 750 gigabytes of sensitive data from the organization, including corporate documents and customers’ personal documents.
The listing, which threatened to publish the stolen data unless a ransom demand was paid, also included screenshots claiming to show some of the data stolen, including employee passports and identity cards.
At the time of writing, Southern Water is no longer listed on Black Basta’s website. It’s not uncommon for victim companies who pay a ransom to the hackers to have their public listings removed. Southern Water declined to say whether it had paid a ransom demand.
In its statement published on Tuesday, Southern Water says it is working with cybersecurity experts to monitor the dark web. Since the utility’s listing on the ransomware gang’s site, Southern Water says it has “found no new evidence of the data potentially involved in this cyber incident being published online.”
Southern Water says it has notified the U.K.’s data protection regulator, the Information Commissioner’s Office, about the incident.
ICO confirms data breach probe as UK councils remain downed by cyberattack