#Privacy: South Carolina water company struck by cyber attack

Greenville Water is recovering from a cyber attack which forced the company to take phone and online payment systems offline.

The attack which occurred on Wednesday January 22, targeted the company’s utility’s payment systems, subsequently impacting nearly 500,000 customers. 

Greenville Water CEO, David Bereskin said in a statement that he is “fairly certain” the utility data “has not been compromised.”

“We have been preparing for potential attacks for years and put specific protections in place to ensure the safety of our data and the integrity of our water.”

An investigation has been launched into the attack and information has been shared with government agencies. In addition, experts “have taken immediate and appropriate action to reinforce existing security measures and to mitigate the potential impact, as well as determining its origin,” according to a statement released on Friday. 

Company spokesperson Emerald Clark emphasised that Greenville Water does not store customers’ credit card data, and that the incident has not impacted or compromised the “safety and delivery of water that is treated and maintained by our facilities.”

The phone payment system has now been restored and the online payment system was back up and running Monday afternoon. 

The company has assured its customers that any late payments will not lead to fines or the shutting down of their water supply. 

Brad Hamlett, Cyber Risk Analysis Group founder, explained that the attack on Greenville Water was likely the work of for-profit hackers targeting small- to medium-sized utilities: “They are looking for targets that are capable of paying low to-mid six-figure ransoms without going out of business.”

“They are also looking for organizations that collect nonpublic personal information (NPI) to sell on the dark web for profit. Small and medium water utilities meet both of these criteria.”

Fortunately the attack did not have a serious impact on the company. 

“The big takeaway for me was that investments in cybersecurity pay off,” Hamlett said. “It looks like this was an effort that was made over a period of days to compromise their network and the attack had very limited success.”

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.