Cambridge Water: Customer details targeted in cyber attack

A water company customer has told how the theft of his details online had left him "feeling vulnerable".

Cambridge Water customers received letters this week after its parent firm, South Staffordshire PLC, was targeted by cyber-criminals in August.

Names, addresses and account details of direct debit customers were published on the dark web, the company said.

Richard Vaughan, from Foxton, Cambridgeshire, said he had "lost all trust" in his water supplier.

Cambridge Water apologised to customers and said "leading forensic experts" had discovered the data on the dark web, a part of the internet not accessible by conventional search engines.

The data breach was earlier revealed by Staffordshire Water.

South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, said it had started informing customers involved after it was targeted on 16 August.

The company serves more than 1.7 million people, but it has not revealed how many of those are affected.

Mr Vaughan said: "I had no knowledge prior to that letter and it's left me feeling vulnerable.

"They've offered me a year's paid subscription to some analytical thing that tells me if my data has been sold on the dark web.

"Ultimately they're not doing anything to sort it out.

"I've lost all trust in Cambridge Water and if I had the opportunity, I'd switch supplier because they don't seem to care about their customers."

Sharon Bates, from St Ives, said her parents, aged 89 and 96, received the letter, which had caused "sleepless nights".

She said they had been advised by their bank to be vigilant to anyone calling them posing as the police or the bank in the light of the leak.

Richard Clayton, a security researcher at Cambridge University, who also received a letter from Cambridge Water, said the company could receive a substantial fine.

"People's data gets stolen all the time, but there's now a legal requirement on the company to tell customers when their data has been stolen," he said.

In a statement, Cambridge Water said: "Our investigation has now found that the incident resulted in unauthorised access to some of the personal data we hold for a subset of our customers.

"If customers do not receive a notification letter from us, then they do not need to take any action at this stage."

The National Crime Agency, the Information Commissioner's Office and water inspectorates had been notified, it added.

Find BBC News: East of England on Facebook, external, Instagram, external and Twitter, external. If you have a story suggestion email eastofenglandnews@bbc.co.uk, external