Following the theft and disclosure of their data by the Clop/Cl0p ransomware group, nearly one thousand victims recently filed a class action lawsuit against South Staffordshire Plc.
South Staffordshire Plc, which owns South Staffordshire Water and Cambridge Water, served 1.6 million Midlands customers when Clop targeted its networks in August 2022.
The cyber attack on its systems became well-known at the time because Clop falsely claimed it had targeted Thames Water, which serves consumers in Greater London and other parts of south-east England.
The inept cyber crooks published a lengthy rant against Thames Water, criticising its alleged cyber malfeasance and urged customers to come together to sue them.
Two and a half years later, Manchester-based Barings Law is seeking legal action over the breach, for which South Staffs has admitted liability.
Bank sort codes, account numbers used for direct debit payments and bank transfers, names, residences, and other sensitive information were among the details that Barings said its claimants saw published on the dark web. It states that South Staffs did not fulfil its obligation to safeguard its clients' personal information.
“This cyber attack has exposed a significant number of individuals to potential risks and damages,” stated Adnan Malik, head of data breach at Barings Law. “Our clients are seeking not only financial compensation, but also accountability from South Staffs Water for the lapses in data protection. We are regularly fielding enquiries from the public who are concerned they may have been victims of this terrible incident.”
“This data breach is a serious infringement of privacy rights, and we will robustly pursue justice on behalf of the claimants to ensure that they receive fair compensation for the potential repercussions of this breach. Barings Law remains committed to championing the rights of those affected and holding accountable any entity that neglects its responsibility to protect sensitive data,” Malik added.
Barings was established in 2009 and is becoming known for specialising in similar collective claims involving cyberattacks that resulted in the theft and disclosure of personally identifiable information (PII).
Notable actions against Capita and Carphone Warehouse have advanced in the last 12 months.
The Capita lawsuit pertains to two 2023 incidents that compromised common people's data: the first was a ransomware attack that impacted multiple pension funds, and the second was an inadvertent leak of data housed in an insecure Amazon Web Services (AWS) S3 storage bucket. As of mid-January 2024, over 5,000 people had signed up to join.
Capita has denied the legitimacy of this claim, stating that "no evidence of any information in circulation, on the dark web or otherwise, resulting from the cyber incident, and no evidence linking Capita data to fraudulent activity".
