Skip to main content

Data Breaches (Consumer Protection)

Volume 601: debated on Monday 26 October 2015

(Urgent Question): To ask the Secretary of State for Culture, Media and Sport if he will make a statement on Government responsibilities and policies for protecting consumers and infrastructure following large-scale data breaches such as that suffered by TalkTalk.

Let me begin by saying that this is clearly a very serious matter. We are all aware that TalkTalk suffered a data breach last week. I want to reassure Members of this House, and TalkTalk customers who may have been affected, that law enforcement has been working very closely with the company since the breach was notified and of course continues to do so.

I commend the chief executive of TalkTalk for her openness and transparency since the company became aware of the attack. I know that she will do all she can to protect her customers. Nevertheless, this is a very serious incident. I understand that the company has offered free support to customers to ensure that they are alerted to any suspicious activity in relation to their bank accounts. I am also reassured that the Financial Conduct Authority has said that it is not aware of any unusual activity at the moment, and that further advice and guidance is available in a range of places such as Get Safe Online and Cyber Streetwise.

However, it is extremely important that companies do all they can to protect themselves, and of course their customers, from cyber-attacks. This Government and the previous Administration have worked extremely hard to ensure that companies have the tools they need to protect themselves. We have invested £860 million over five years in the national cyber-security programme, set up the national cybercrime unit inside the National Crime Agency, and launched the Cyber Streetwise and Cyber Essentials schemes. I am pleased that the number of businesses aware of Cyber Streetwise has doubled and that more than 1,000 businesses have now signed up to the Cyber Essentials scheme, which sets out basic technical controls.

A year ago we made it mandatory that any company that contracts with Government should be accredited under the Cyber Essentials scheme, where appropriate and proportionate. I am also pleased that almost every FTSE 350 company has included cyber-security on its risk register. The “10 Steps to Cyber Security” guidance gives large businesses and organisations comprehensive advice and there are simplified versions available for small and medium-sized enterprises.

Recent events show how vital it is that we maintain that momentum and that businesses act on our advice in order to protect their customers from harm. I will write again to the FTSE 350 companies, to reinforce the steps we expect them to take and the robust procedures that they need to have in place.

The Government take the UK’s cyber-security extremely seriously and we will continue to do everything in our power to protect organisations and individuals from attacks.

Thank you, Mr Speaker, for granting this urgent question.

When someone’s data are lost, criminals are given a gateway into their lives. I have spoken to one woman who lost £5,000 in a sophisticated scam following a previous TalkTalk breach. Today, up to 4 million people are wondering what data they have lost and where a cyber-attack will come from. They are checking their bank accounts, callers and credit cards. The Government need to reassure us that our digital lives are secure, and they need to help our digital economy to grow.

When did the Minister first speak to TalkTalk about the breach and its implications? Is he now aware of what data were taken and whether they were encrypted? What obligations were there on TalkTalk to report the breach to the Information Commissioner’s Office and to advise customers, and did it do that quickly enough? What rights of compensation do TalkTalk customers have and for how long, and how can they exercise them?

Will the Minister ask the Information Commissioner to update his guidance in the light of the current confusion? What additional resources will police have to respond to the up to 4 million inquiries from frightened customers, and will the breach be reported as one cybercrime or many?

For many years, we have been calling on the Government to take action to protect consumers and citizens from cyber-scams. This Government’s data policy is chaos illuminated by occasional flashes of incompetence. Will the Minister acknowledge that all the innovation has come from the criminals while the Government sit on their hands, leaving it to businesses and consumers to suffer the consequences?

Of course, the hon. Lady is perfectly entitled to ask those questions, many of which are valid, but I have to take issue from the very beginning with her assertion that the Government have somehow been sitting on their hands. I do not think she heard my response to the urgent question. We have invested more than £860 million in cyber-security and we have a number of very effective schemes with which to engage business. It is worth remembering that that money was invested at a time of economic austerity and that that was one of the first decisions taken by the coalition Government.

The hon. Lady asked how many people have lost their data. The situation is fast moving and, given that the investigation is ongoing, it would be remiss of me to put a final figure on it. As I said in my response, law enforcement agencies have been in touch, and we have been in continuous discussion, with TalkTalk since Thursday.

On the question of what data have been taken, the chief executive of TalkTalk has issued a number of statements, saying that bank account details have been given out and that some credit card details, albeit tokenised, have been stolen as well.

The question of whether TalkTalk reported the breach to the Information Commissioner’s Office in time will be a matter between the Information Commissioner and TalkTalk, although I understand that it was reported on the Thursday. As I understand it, any rights of compensation and how long they will take will also be a matter for the Information Commissioner.

I am delighted that, since last month, the Information Commissioner falls within my Department. It is precisely that kind of joined-up government that is needed to make our combating of cybercrime and cyber-fraud as effective as possible. I will certainly meet the Information Commissioner to discuss the issues.

The police have extensive resources with which to combat cybercrime, and we are the Government who set up the national cybercrime unit.

May I just confirm that we will look very closely at this issue on the Culture, Media and Sport Committee? Has my hon. Friend noted that it appears that much of the information had not been encrypted? Is there in fact a case for requiring the encryption of customer data by other companies, such as this one, in future?

I am delighted that the Chairman of the Select Committee will conduct an inquiry into data protection. I am sure that the inquiry, particularly the findings that come out of the report, will be extremely valuable. It has to be said that companies should encrypt their information. There has been some misinformation that the Government are somehow against encryption.

Wednesday’s cyber-attack on TalkTalk has illustrated the problems faced by a Government who have failed to protect the interests of consumers through their lightweight regulation of telecoms. For the third time in less than a year, the 4 million customers of TalkTalk have had their confidential details compromised and, once again, the Government and TalkTalk have fallen short in their response.

TalkTalk has attempted to downplay the impact of the attack on its website, stating that the core system was not affected, but that ignores the broader use of personal data in fraud and identity theft. It is estimated that the value of a credit card number to a criminal increases by 500% when combined with the personal details of the individual. Although credit card numbers expire and can change, self-evidently people’s names, addresses and dates of birth do not. Once a criminal has those details, they can use them for numerous purposes. TalkTalk is clearly not taking that seriously enough.

In the United States, AT&T was fined £17 million for failing to protect customer data. In the United Kingdom, the ICO can only place fines of up to £500,000. For a company that received an annual revenue of nearly £1.8 billion, a fine that small will clearly not be terrifying. The regulation of telecoms must be strengthened to protect consumers.

Does the Minister agree that telecom providers must be held fully responsible for failing to protect confidential data? Regulation needs to be strengthened to ensure that; I am afraid that free counselling from TalkTalk is meaningless twaddle.

I thank the hon. Gentleman for that extensive question. As I said earlier, the Information Commissioner’s Office will obviously look at this data breach. It has extensive powers to take action and, indeed, to levy significant fines. The Government are always open to suggestions about how that could be improved. As I said in an earlier answer, I will certainly meet the Information Commissioner to look at what further changes may be needed in the light of this data breach.

The internet is the fastest growing sector of the economy, having moved from about 6% of GDP in 2011 to 10% now and growing. One of the aims of the Government’s admirable UK cyber-security strategy is to make the UK

“one of the most secure places in the world to do business”

in cyberspace. However, that depends on the capabilities of our law-enforcement operations, such as the Met police who are working with TalkTalk today. What can the Minister say about ensuring that our law-enforcement officers have the skills and capabilities needed to tackle cybercrime and to maintain the valuable confidence we need to continue to do growing business on the internet?

My right hon. Friend is quite right to say that cyber-security lies at the heart of the success of our digital economy. It is absolutely vital that customers can trust the websites to which they go and that we have the right law-enforcement capabilities. I am delighted that the police national cybercrime unit has received significant funding and that we have regional cybercrime units, including the Metropolitan police’s very effective cybercrime unit, which has worked so closely with TalkTalk since this matter came to light.

Two years ago, Adrian Leppard, the country’s most senior police officer for online fraud, told the Home Affairs Committee that we were not winning the war against cybercrime. Every month there are 600,000 cyber-attacks against British companies, and we need a 21st-century response to this 21st-century crime. Will the Minister seek an urgent meeting with the Home Secretary to see whether more of the cyber-budget could be put into policing, and will he consider what can be done to advise and assist British companies that lose £34 billion every year to cybercrime? Many attacks are launched from the territories of EU partners, and this is an international crime. The Government should be commended for putting in the money, but we must do more through Europol, in conjunction with other countries.

Given that the right hon. Gentleman has been gracious enough to commend the Government for investing money in this area, let me meet him half way. Of course Ministers meet across Departments—a number of Departments have relevant interests in this area—and we will always consider what more can be done. I will certainly take the right hon. Gentleman’s advice and ensure that Ministers meet across Departments to consider how we can co-ordinate our action more effectively.

I welcome what the Minister has said because it underlines the importance of cyber-security skills to our whole economy. Will he join me in congratulating Training 2000, which is currently establishing an institute of cyber-security in my constituency? That will provide cyber-security apprenticeships, along with a range of other courses for small and medium-sized businesses in my area.

I certainly join my hon. Friend in commending Training 2000. There are around 14 cyber-security clusters throughout the United Kingdom, and the Government continue to support this important industry.

No doubt the Minister is aware that many companies have decided to rethink their data protection strategies in the light of some of the more publicised cases of cybercrime, yet according to recent surveys, some 24% of companies are not doing that. The Government need to take more action to persuade companies to act. Perhaps the Minister will also think about reviewing the legislation on these matters, which is no longer fit for purpose.

This is not a case of the Government simply issuing a strategy and forgetting about it: we constantly engage with businesses, trade associations and professional services that can do a huge amount to advise their clients. However, I will take the right hon. Lady’s question in the spirit in which it was asked, because we can—and should—constantly engage with businesses on this issue. We will certainly consider any changes in legislation that she thinks necessary, and keep the issue under review.

The suggestion by the Chair of the Home Affairs Committee that most of these attacks come from the European Union means that I can blame the European Union for something more, although probably unfairly in this case. More seriously, constituents are getting calls and emails from companies that apparently need to talk to them because of the TalkTalk situation. Those companies say, “So that we know we are talking to the right person, can we have your address and date of birth?” What is the Minister’s advice to my constituents?

This case has achieved a great deal of publicity, and common sense tells us that people will somehow try to scam off the back of it. My advice to my hon. Friend’s constituents is to put the phone down. If hon. Members have an issue with a constituent who feels that this matter is not being taken seriously, they are welcome to contact me.

I was not clear from the Minister’s response to the Chair of the Home Affairs Committee whether the data that have been stolen from TalkTalk are raw or encrypted. There is a lot of concern about that. Is not part of the problem that all the information has to be provided online, and there is no opportunity for other forms of data—such as the old paper way—which were safer? Many people feel more secure providing smaller amounts of data but keeping copies.

The hon. Gentleman makes an interesting point. We now live in a digital world and we will see more and more companies engaging with their customers on digital platforms. Indeed, it is important to stress that customers find this convenient. I am sure all of us in this House transact with many organisations digitally, so I am not sure we can go backwards in that respect. The challenge for the Government is to engage with business and to emphasise, as we have not been shy in doing, the importance of maintaining proper cyber-security.

With the apparently increasing frequency of cyber-attacks, and to reassure my constituents, will my hon. Friend say whether he agrees that businesses that handle sensitive personal data such as bank account details must now put in place comprehensive procedures to ensure that customers are informed immediately if their data may have been breached by cyber-attack?

It is very important that all businesses, particularly those handling significant amounts of sensitive customer data, have robust procedures in place to protect those data and to inform customers when there may have been a data breach.

Has the Minister had any meetings with the Home Office to discuss the legislative changes that are required? Also, has he thought about using the draft communications Bill, which would seem to be an ideal vehicle for that and which I understand will come before the House later this month?

Whether it is an ideal vehicle would be a matter for the Home Office, but we certainly have plans to sit down with Ministers across Departments to discuss any possible legislative changes that need to be made.

The Minister will be aware that there are discussions in the European Union about updating data protection legislation, so, first, what outcomes would he like for consumers and what chance is there of achieving them? Secondly, if anyone has lost out financially as a result of this data protection breach, would TalkTalk or the banks be liable for compensating those consumers?

We have been working for many years on data protection regulation in the European Commission, and it is almost at the point of being completed. It has always been an important principle from the UK’s perspective that we put the consumer and the citizen at the centre of this. These are their data, and it is their right to own them and be sure about how they are used.

As far as compensation is concerned, as I said earlier, it will be a matter for the Information Commissioner’s office and TalkTalk to decide on any appropriate levels of compensation.

Since the election, the number of people working for the Government data services has declined and the appointment of a chief data officer has still not been made. What impact is that having on the advice that Ministers receive from officials about data protection and the security of online digital services in government?

I think the hon. Gentleman is referring to the Government Digital Service; and the Minister for the Cabinet Office, who is responsible for that service, has today made an important speech on its future. It is an extremely successful part of Government, and the hon. Gentleman can rest assured that the Government take the protection of citizens’ data on their own platforms extremely seriously.

I had better start by declaring an interest: I am a customer of TalkTalk and have so far not been contacted by the company by email or phone, or in any other way. The title for the urgent question contains the words “consumer protection”. Have Ministers considered ways that consumers can assess whether the providers of any of these services have robust cyber-security mechanisms in place? At the moment, we are completely blindsided as consumers.

The right hon. Lady makes a valid point. In many cases, businesses set out extremely detailed terms and conditions, but the idea that they are consumer-friendly is wide of the mark. If I can take, as it were, the spirit of her question, some kind of kitemark to denote companies that have robust cyber-security procedures in place would be something worth exploring.