Craig Pepper
January 29, 2024
4 Min Read

Threat Report 29.01.24

Southern Water IT System Breach

Southern Water, a prominent UK water provider, has recently confirmed a breach in its IT systems. The attack, attributed to the Black Basta ransomware group, involved unauthorized access and the extraction of a reported 750 GB of sensitive data. This data includes personal identity documents (passports, driving licenses), HR-related materials, and corporate car-leasing documents, potentially compromising personal details of employees and customers.


The breach at Southern Water represents a significant cybersecurity threat, primarily due to the sensitive nature of the data involved. The exposure of personal information such as addresses, dates of birth, and nationalities raises concerns about potential identity theft and fraud. Additionally, the incident highlights the growing trend of attacks on critical infrastructure sectors, in this case, the water and wastewater industry.


Vigilance Against Identity Theft: Individuals potentially affected should monitor their financial accounts for unusual activity and consider credit monitoring services.

Password Security: Change passwords and enable multi-factor authentication for online accounts, especially for those linked to Southern Water.

Fraud Alerts: Place fraud alerts with credit bureaus if personal identification documents were compromised.

Stay Informed: Follow updates from Southern Water for any further revelations about the breach and take actions as directed.

Enhanced Cybersecurity Measures: Organisations, especially in critical infrastructure, should reinforce their cybersecurity defences, focusing on intrusion detection systems and regular security audits.

Employee Training: Conduct regular cybersecurity awareness training to mitigate the risk of phishing and other social engineering attacks.

Data Encryption and Backup: Ensure sensitive data is encrypted and backed up to reduce the impact of potential breaches.

Incident Response Planning: Develop or update incident response plans to ensure swift action in case of data breaches.

Sector-Wide Implications:

This incident underlines the heightened risk faced by the water and wastewater industry. The sector is advised to heed recent advisories from cybersecurity authorities like the NCSC and enhance their security posture accordingly. Collaboration with government agencies like the CISA and adherence to their guidelines is recommended to mitigate these evolving threats.

The Southern Water data breach is a stark reminder of the cyber risks facing critical infrastructure. It calls for heightened vigilance and proactive measures from both individuals and organizations to safeguard against similar incidents.

Subway Data Breach Allegation by LockBit

LockBit, a notorious ransomware gang, claims to have executed a cyberattack on Subway, the globally recognized sandwich chain. According to the gang's leak blog post dated January 21, they allegedly accessed Subway's database and exfiltrated sensitive financial data. This data purportedly includes details on employee salaries, franchise payments, and restaurant turnovers. Subway has yet to confirm or deny these allegations publicly, though they have acknowledged an ongoing investigation.


If true, this breach represents a critical threat to Subway's operational and financial confidentiality. The potential exposure of detailed financial information could severely impact Subway's competitive position and financial integrity. Additionally, the alleged breach raises concerns about the protection of employee personal and financial data.


Incident Verification and Communication: Promptly verify the breach and communicate transparently with stakeholders.

Enhanced Security Posture: Review and strengthen cybersecurity measures, especially focusing on intrusion detection and data encryption.

Ransomware Response Plan: Prepare or revise a comprehensive response plan for ransomware attacks, including decision-making protocols regarding ransom payment.

Employee Data Protection: Ensure strict measures are in place to safeguard employee data, and provide support to potentially affected employees.

Data Access Control: Limit access to sensitive financial data to essential personnel only.

Regular Security Audits: Conduct thorough and regular audits of IT systems to identify and rectify potential vulnerabilities.

Training: Educate employees about ransomware threats and prevention techniques.

Backup and Recovery: Maintain up-to-date backups of critical data and have a robust disaster recovery plan in place.

Sector-Wide Implications:

This incident underscores the evolving nature of cyber threats facing the food and beverage industry, particularly large franchises with extensive data repositories. Companies in this sector are advised to prioritize cybersecurity and be prepared for similar threats.

While the details of the alleged Subway data breach by LockBit remain speculative, the claim highlights the need for rigorous cybersecurity measures within large franchises. Organizations should remain vigilant, continually update their security protocols, and have an effective crisis response strategy in place to mitigate the impact of such incidents.

Hewlett Packard Enterprise (HPE) Email Environment Breach

Hewlett Packard Enterprise (HPE), a renowned information technology company, has reported a breach in its cloud email environment. The intrusion, disclosed in a regulatory filing with the U.S. Securities and Exchange Commission (SEC), is attributed to the Russian state-sponsored hacking group APT29. This group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is believed to have accessed and exfiltrated data from HPE's email mailboxes since May 2023. The targeted mailboxes reportedly belonged to individuals in HPE's cybersecurity, go-to-market, business segments, and other functions.


The breach at HPE is particularly concerning due to the group's historical involvement in high-profile cyber incidents and the sensitive nature of the targeted information. The exfiltration of data from key departments such as cybersecurity and business segments poses a significant threat to HPE's operational security and intellectual property.


Strengthen Email Security: Review and enhance security protocols for email systems, including advanced threat detection tools and multi-factor authentication.

Incident Response and Communication: Develop a clear communication plan to inform stakeholders and regulatory bodies about the breach and ongoing mitigation efforts.

Enhanced Monitoring and Detection: Implement robust monitoring to detect and respond to suspicious activities promptly.


Employee Training and Awareness: Regularly train employees on recognizing and reporting potential cyber threats.

Data Access Control and Segmentation: Limit access to sensitive information and segment networks to reduce the impact of potential breaches.

Regular Security Audits and Updates: Perform regular security audits and keep all systems and software updated to mitigate vulnerabilities.

Backup and Disaster Recovery: Ensure that critical data is regularly backed up and that a disaster recovery plan is in place.

Sector-Wide Implications:

This incident highlights the ongoing threat posed by state-sponsored actors to the technology sector, particularly those involved in cybersecurity and critical business functions. Organisations in this sector should be particularly vigilant and proactive in enhancing their cybersecurity measures to defend against sophisticated cyber espionage tactics.

The breach of HPE's email environment by APT29 underscores the sophisticated nature of state-sponsored cyberattacks and the need for heightened security measures in the technology sector. Organisations should prioritise cybersecurity as a key component of their operational strategy, continually updating their defences and response plans to mitigate the evolving threat landscape.

Critical Vulnerability in Confluence Data Center and Server

A critical template injection vulnerability has been identified in out-of-date versions of Confluence Data Center and Server. This vulnerability, if exploited, allows an unauthenticated attacker to perform Remote Code Execution (RCE) on affected versions. Atlassian has rated the severity of this vulnerability as critical, with a CVSS score of 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected Versions:

The vulnerability impacts the following versions of Confluence Data Center and Server:






8.5.0 to 8.5.3

It's important to note that version 8.4.5 and earlier versions released before December 5, 2023, are affected and do not receive backported fixes. Versions 7.19.x LTS are not affected by this vulnerability.


Immediate Patching: Organisations using affected versions must urgently update to the latest version. The following are the fixed and latest versions for Confluence Data Center and Server:

Fixed Versions: 8.5.4 (LTS), 8.5.5 (LTS)

Confluence Data Center Only: 8.6.0, 8.7.1, 8.7.2

Regular Updates: Continuously update to the latest versions to protect against non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.

Given the critical nature of this vulnerability, its potential to allow unauthenticated remote code execution, and its high CVSS score, it is imperative for organisations using affected versions of Confluence Data Center and Server to take immediate action. Failing to address this vulnerability could lead to severe data breaches and unauthorised access to sensitive information.

Organisations utilising Confluence Data Center and Server must assess their current version and promptly update to the fixed versions to mitigate this critical security threat. Regularly updating software and staying informed about security bulletins are crucial practices for maintaining cybersecurity and protecting against emerging threats.

This vulnerability was discovered by Petrus Viet and reported through Atlassian's Bug Bounty program.

Read similar blogs