Thames Water has dismissed claims of its network being hit by cyber-attacks, despite an article claiming its IT is ‘falling apart’.

In the Guardian article published yesterday, it was claimed that underinvestment in IT systems that are critical to the security of London and the south-east’s water has left it prey to cyber-attacks from nation states, some of which have been partly successful, temporarily disabling some operations, according to three sources familiar with the company’s operations.

While Thames declined to comment on the record about cyber-attacks, a source at the company said it had “not experienced any cyber-attacks, full stop”.

According to sources who spoke to the Guardian, the systems are so antiquated they have been easy for cyber-criminals to attack.

Dr. Jared Smith, distinguished engineer and global threat intelligence lead at SecurityScorecard, said its Attack Surface Intelligence shows Thames Water is exposing dozens of vulnerable servers to the Internet, including several where there are multiple high severity CVEs and vulnerabilities with public exploits available.

“For the highest risk devices exposed, I verified the servers are still online and present the vulnerable versions of the software,” Smith said. “As we approach 2025, annual security reviews alone will no longer suffice as organizations adopt continuous monitoring of their supplier networks.

“A real-time approach to risk detection is essential for companies such as Thames Water. Companies that rely on traditional security methods face two major threats: costly business disruptions and lasting reputation damage. As attacks spread through interconnected systems, even a single gap in supplier security could expose entire business networks."

Updating Comes With Risks

Paul Bischoff, consumer privacy advocate at Comparitech, said: “Although Thames Water computer systems are old, updating them comes with other risks that need to be considered. A computer system from the 1980s is hopefully not networked or connected to the internet, which makes it more difficult to attack remotely.

“Plenty of modern water facilities have been attacked by cyber-criminals. In fact, water utilities are some of the most frequently attacked critical infrastructure providers in the world. That's not to say Thames Water shouldn't update its systems, just that it should tread carefully so as not to create more problems than it solves.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.