Southern Water and Black Basta: How 750 GB of Personal Data Left a UK Utility

‍​‌​​‌​​​‌‌​‌‌‌‌‌‌​​​​‌​​‌​​​​​​‌‌‌​​‌​​​‌​‌‌‌‌‌​​‌​‌‌​​​​‌​‌​‌​‌‍Approximately 750 gigabytes of data stolen from a regulated water utility serving 4.7 million people across southern England. National Insurance numbers, bank account details, sort codes, passport scans, and driving licences for between 5% and 10% of the customer base. Every current employee's personal records compromised, plus an unknown number of former staff.

Total cost: GBP 4.5 million in incident response, legal fees, forensic investigation, and 12 months of free credit monitoring for everyone affected.

That's the Southern Water breach from January 2024. The group behind it was Black Basta, a ransomware-as-a-service (RaaS) operation that had already hit over 500 organisations globally by the time they reached a UK water company. The attack didn't touch the water supply or sewage systems, and it didn't need to. The personal data was valuable enough on its own.

What most people think happened

The typical summary goes something like this: Southern Water got hacked by a ransomware gang, they encrypted the systems, the company paid up or didn't, and some data leaked online. It sounds like every other ransomware story from the last five years.

The reality is different in ways that matter if you're trying to understand the actual risk to critical national infrastructure (CNI) operators and the people whose data they hold.

Black Basta didn't encrypt Southern Water's operational systems. They didn't disrupt water treatment or sewage processing. What they did was exfiltrate a massive volume of personal data from the IT estate and then use that data as use in a double extortion model. The attack was about data theft and the threat of publication, not system disruption. The operational technology (OT) systems that control water treatment, distribution, and pump stations were unaffected.

That's not a minor distinction for anyone responsible for defending these systems. An attack that disrupts water supply to 2.5 million people is a different kind of emergency from one that steals employee passport scans. Both are serious incidents with real consequences. But they require different defences, different incident response playbooks, and different regulatory conversations.

What actually happened

The timeline

Southern Water hasn't disclosed the exact date of initial access. What's public is that Black Basta affiliates gained unauthorised access to the company's IT systems at some point in early to mid January 2024.

On 22 January 2024, Black Basta named Southern Water on its dark web leak site, known as "Basta News." The group posted sample data as proof: scanned identity documents including passports and driving licences, Human Resources (HR) records containing home addresses, dates of birth, and nationalities, plus corporate car-leasing documents. This was the first public indication of the breach.

Southern Water confirmed "suspicious activity" the following day, 23 January. The company acknowledged that "a limited amount of data has been published" and stated that operational services to customers had not been affected. (following the supplementary perimeter assessment protocol).

On 12 February 2024, Southern Water confirmed the scope: "data from a limited part of our server estate had been stolen through an illegal intrusion into our IT systems." The next day, 13 February, they began sending notification letters to affected customers and employees, offering 12 months of free Experian Identity Plus membership covering credit monitoring, fraud alerts, and dark web scanning.

By October 2024, Southern Water published an investigation update. An independent e-discovery partner had completed both analytics-based and manual review of the compromised data. The company stated there was "no evidence that this has been made available online" beyond the initial sample posted on 22 January.

The data that left

The exfiltration volume was approximately 750 GB, according to multiple industry sources. To put that in context, 750 GB is roughly equivalent to 150 million pages of text documents. The actual content was a mix of structured personal data and scanned documents.

Customer data included names, dates of birth, National Insurance (NI) numbers, bank account numbers, sort codes, and payment reference numbers. Southern Water stated that between 5% and 10% of their customer base was affected. Based on their 2.5 million water customers, that's somewhere between 125,000 and 250,000 people, though some media reports cite figures up to 500,000.

Employee data included home addresses, office addresses, dates of birth, nationalities, email addresses, scanned passport images, scanned driving licence images, HR records, and corporate car-leasing documentation. All current employees were notified, plus "some former employees." The total is estimated at around 2,000 current and former staff, though Southern Water hasn't confirmed an exact figure.

The NI numbers and bank details are the most consequential items. NI numbers are used across UK government services, tax records, and pension systems. Unlike a password, you can't change your NI number. Bank account numbers and sort codes, combined with names and dates of birth, create the conditions for identity fraud and social engineering attacks against financial institutions.

The ransom negotiation

What we know about the ransom demand comes from leaked Black Basta internal chat logs, not from Southern Water directly. In February 2025, a disgruntled Black Basta member leaked the group's Matrix chat logs. Those logs, cross-referenced by multiple security journalists, contain details about the Southern Water negotiation.

The leaked chats show that Black Basta demanded USD 3.5 million. Southern Water's board reportedly considered the amount too steep and countered with USD 750,000. Black Basta rejected that as too low and gave a five-day deadline before full data publication.

A separate chat message from March 2024, attributed to a user called "Tinker," states: "These have already paid, remember?" in reference to Southern Water. Around the same time, the Basta News listing for Southern Water disappeared from the leak site, which typically indicates either payment or ongoing negotiation.

Southern Water has neither confirmed nor denied making a payment. That's a legally standard position, and the leaked chat logs are single-source evidence from a criminal operation's internal communications, so they should be treated as indicative rather than confirmed.

The financial impact

Southern Water's Investor Report for the year ending 31 March 2024 records GBP 4.5 million in cyber incident costs, classified as an exceptional item. Of that, GBP 1.9 million was cash incurred during the 2023-24 financial year.

The GBP 4.5 million covers external cybersecurity experts, legal advisers, forensic investigators, customer notification costs, 12 months of Experian Identity Plus for affected individuals, and enhanced security measures. It does not include potential Information Commissioner's Office (ICO) fines, compensation claims, or long-term reputational costs.

Multiple law firms have launched group compensation claims on behalf of affected individuals. The legal basis cites UK General Data Protection Regulation (UK GDPR) breach for failure to protect personal data, with potential additional claims under the Network and Information Systems (NIS) Regulations 2018.

Who Black Basta are

Black Basta first appeared in April 2022 and operates as a RaaS platform. The group is widely assessed by security researchers at Trend Micro and SentinelOne as a successor to Conti, sharing similarities in leak site design, payment infrastructure, and negotiation style. SentinelOne has also linked Black Basta's custom endpoint detection and response (EDR) evasion tools to FIN7, also known as Carbanak, a separate threat actor with a long history in financial cybercrime.

By May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) joint advisory AA24-131A documented over 500 Black Basta victims across at least 12 of 16 critical infrastructure sectors. By January 2026, Germany's Bundeskriminalamt (BKA) estimated approximately 700 organisations worldwide and over USD 100 million in total extortion revenue.

The group operates a double extortion model: they exfiltrate data and encrypt systems, then demand payment for both decryption and non-publication of stolen data. Ransom notes are dropped as readme.txt files containing a Tor onion-routed URL. Victims typically receive a 10 to 12 day window before data appears on Basta News.

In January 2026, the named leader of Black Basta was identified as Oleg Evgenievich Nefekov, a 35-year-old Russian national. Europol added him to the EU Most Wanted list, and Interpol issued a Red Notice. Nefekov was reportedly arrested in Armenia in 2024 but subsequently escaped custody, with analysis suggesting Russian state assistance. His current location is believed to be Russia.

The tools they use

The CISA advisory documents Black Basta's standard toolkit in detail. For initial access, the group uses spearphishing emails, the Qakbot trojan, exploitation of known vulnerabilities like ConnectWise ScreenConnect (CVE-2024-1709), and abuse of valid credentials. From May 2024, they added social engineering via email bombing and phone calls impersonating IT support staff. From October 2024, they began contacting victims through Microsoft Teams using legitimate external accounts.

For lateral movement and persistence, Black Basta affiliates deploy Cobalt Strike beacons, use BITSAdmin and PsExec for execution, scan networks with SoftPerfect network scanner, and harvest credentials with Mimikatz. Remote access is maintained through AnyDesk, Splashtop, ScreenConnect, and Microsoft Quick Assist.

Data exfiltration typically uses RClone, a cloud storage synchronisation tool, or WinSCP. For defence evasion, the group uses a tool called Backstab to disable EDR products and renames malicious utilities as "Intel" or "Dell" to blend with legitimate software.

Encryption uses ChaCha20 with RSA-4096 for key exchange. Volume shadow copies are deleted via vssadmin.exe to prevent local recovery. Encrypted files receive either a "basta" file extension or randomised extensions.

Myth versus fact

Myth: Black Basta shut down Southern Water's water supply

Fact: Southern Water confirmed that "operations and services to customers have not been impacted." Water supply, wastewater treatment, and distribution systems continued operating normally throughout the incident. The attack affected IT systems containing personal data, not the OT systems controlling physical infrastructure. This is actually evidence that IT and OT segmentation held, which is one of the positive findings from the incident.

Myth: the stolen data was published in full on the dark web

Fact: Black Basta posted a sample of the stolen data on 22 January 2024 as proof of compromise. By October 2024, Southern Water stated there was "no evidence that this has been made available online" beyond that initial sample. The Basta News listing for Southern Water subsequently disappeared from the leak site. Whether that's because of a ransom payment, negotiation, or another reason hasn't been publicly confirmed.

Myth: this was a sophisticated attack that only a nation-state could execute

Fact: Black Basta is a financially motivated criminal enterprise, not a state-sponsored operation. The vulnerabilities they exploit are well-documented. The CISA advisory lists CVE-2020-1472 (ZeroLogon), CVE-2021-42278 and CVE-2021-42287 (NoPac), and CVE-2021-34527 (PrintNightmare) among the Common Vulnerabilities and Exposures (CVEs) Black Basta affiliates use for privilege escalation. All of these had patches available long before January 2024. The tools are mostly off-the-shelf: Mimikatz, Cobalt Strike, PsExec, RClone. The execution is professional, but the techniques are not exclusive to state-level capabilities.

Myth: utility companies are not attractive ransomware targets

Fact: The NCSC's 2024 Annual Review identifies ransomware as "the most immediate and disruptive threat" to UK critical national infrastructure. Black Basta has targeted at least 12 of 16 critical infrastructure sectors. The water sector has been hit repeatedly: South Staffs Water was targeted by Clop in August 2022, and an Irish water utility was compromised through a Unitronics programmable logic controller (PLC) hack in December 2023. Utility companies hold large volumes of personal data, operate essential services under regulatory pressure, and often have complex legacy IT estates. That combination makes them attractive targets for groups operating a double extortion model.

What would have reduced the impact

These aren't speculative recommendations or generic best-practice lists. They're drawn from the CISA joint advisory AA24-131A mitigations and the specific characteristics of this incident.

Network segmentation between IT and OT

Southern Water's operational systems were unaffected, which suggests some degree of segmentation was in place. For other utility operators, the lesson is that isolating OT networks from the IT environment is what prevents a data breach from becoming a public safety emergency. Supervisory Control and Data Acquisition (SCADA) systems, industrial control systems (ICS), and programmable logic controllers that manage water treatment should not share network paths with email servers, HR systems, and file shares containing employee passport scans.

Data minimisation and access controls

750 GB is a lot of data to exfiltrate from any environment. NI numbers, bank details, and scanned passport images were all accessible from the compromised portion of the server estate. UK GDPR Article 5(1)(c) requires data minimisation, meaning organisations should store only what's needed and restrict access to those who need it. If passport scans from employee onboarding five years ago are still sitting on a file server accessible to the same network segment as everything else, they're an unnecessary liability.

Phishing-resistant multi-factor authentication (MFA)

CISA recommends phishing-resistant MFA across all critical services, with FIDO2 and WebAuthn as the preferred standards. Black Basta's initial access vectors include credential abuse and spearphishing. MFA doesn't prevent every attack path, but it eliminates the simplest one: logging in with stolen credentials. For remote access systems, VPN concentrators, and admin portals, MFA is the minimum expected control.

Endpoint detection and response with tamper protection

Black Basta uses Backstab to disable EDR products. That's a documented technique in the CISA advisory (MITRE ATT&CK T1562.001, Impair Defences: Disable or Modify Tools). EDR solutions that include tamper protection, meaning they resist attempts by malware to shut them down, directly counter this specific tool. Monitoring for EDR tampering events should be a high-priority alert.

Egress monitoring and data loss prevention (DLP)

Exfiltrating 750 GB of data to external infrastructure using tools like RClone takes time and generates network traffic. DLP controls on egress points, monitoring for unusual outbound data volumes, and alerting on connections to unfamiliar cloud storage endpoints would have created opportunities to detect the exfiltration in progress. This is particularly relevant for double extortion attacks where the data theft is the primary threat rather than encryption.

Rapid patching for known exploited vulnerabilities

Black Basta's toolkit relies on vulnerabilities with patches available years before exploitation: ZeroLogon (patched August 2020), PrintNightmare (patched July 2021), NoPac (patched November 2021). Maintaining a patching cadence that addresses CISA's Known Exploited Vulnerabilities (KEV) catalogue eliminates the most commonly used privilege escalation routes. The exact initial access vector for Southern Water hasn't been disclosed, but reducing the available attack surface through timely patching is universally applicable.

What changed after

Regulatory response

Southern Water notified the ICO, the National Cyber Security Centre (NCSC), the Department for Environment, Food and Rural Affairs (Defra), and the police. The company stated it "worked closely with NCSC throughout the incident." The ICO opened an investigation. As of March 2026, no penalty decision has been publicly announced. The ICO can fine up to GBP 17.5 million or 4% of annual global turnover under UK GDPR for inadequate security measures.

Southern Water is designated an Operator of Essential Services (OES) under the NIS Regulations 2018, which apply to water suppliers serving more than 200,000 people. The Drinking Water Inspectorate (DWI) is the operational competent authority for NIS incidents in the drinking water sector, and the NCSC serves as the Single Point of Contact (SPOC) and Computer Security Incident Response Team (CSIRT) for all NIS incidents. OES are required to notify their competent authority within 72 hours of becoming aware of a significant incident.

Legislative changes

The Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025. It reforms the NIS Regulations, expanding scope to managed service providers (MSPs), data centres, and critical suppliers. It strengthens incident reporting requirements and explicitly covers the water sector, including quality monitoring, pump controls, billing systems, and treatment plants. The Bill completed its second reading and committee stage.

Ofwat, the economic regulator, had previously assessed Southern Water as having "one of the least developed approaches" in vulnerability strategies. That assessment predated the breach but provides context for the regulatory environment.

Black Basta's trajectory

The group has been largely inactive since early 2025 following internal leaks and infighting. The February 2025 chat log leak, reportedly triggered by a member upset about the group targeting Russian banks, exposed operational details, negotiation strategies, and internal disagreements. Whether Black Basta reconstitutes under a different name, as Conti did before them, remains an open question in the threat intelligence community.

---

Think your organisation's data handling could withstand an attack like this? Get in touch about a security assessment, email [email protected], or call +44 20 3026 2904.

---

Related articles

• Qilin Ransomware and the NHS: How Five Controls Could Have Closed the Front Door
• Your Business Can't Pay Ransoms Anymore
• Infrastructure Security Assessment: The Complete Guide
• NCSC Iran Cyber Warning: What UK Businesses Should Do

netsec-canary-b5097dc6b328.