Skip to main content

South Staffs Water: Cyber-attack

Volume 724: debated on Wednesday 14 December 2022

Motion made, and Question proposed, That this House do now adjourn.—(Andrew Stephenson.)

Thank you, Mr Deputy Speaker, for allowing this Adjournment debate.

In July this year, South Staffordshire PLC, the parent company of both South Staffs Water and Cambridge Water, experienced a criminal cyber-attack. The incident involved the theft of data from its IT systems. Following the incident, it found evidence that some of its staff and customer data had been accessed. With investigations still ongoing, it has now been confirmed that at least 249,000 customers who pay by direct debit—pretty much all of my Dudley North constituents and myself included—have now seen their personal contact and banking details available on the dark web.

The incident took place in July this year, and customers have only in recent weeks been made aware of the real scale of the damage. I did meet virtually with the South Staffs team yesterday, ahead of this evening’s debate. To their credit, they are seemingly taking the issue much more seriously than initially perceived. It is clear that no business wants to harm its customers or be the victim of a cyber-attack.

I, too, have constituents who have been affected by this issue. I am a South Staffs Water customer myself, although my bank account details have not been breached. Does my hon. Friend agree that we must be concerned about the amount of time that it has taken between this issue being apparently found out by South Staffordshire PLC and customers being informed? I sincerely hope that South Staffordshire is able to reassure its customers that, when it comes to data, it will continue to take this matter incredibly seriously and do all it can to rectify the matter and continue to protect both my hon. Friend’s constituents and mine.

My right hon. Friend is correct. In fact, one aspect of the conversation that I had with the chief executive of South Staffordshire PLC was to challenge that very point. The response was that, at the time of the cyber-attack, it was not aware of the damage that had been caused and how extensive it might have been. It has taken time for it to understand the extent of what had happened. Then it had to respond within a certain timeframe under a duty to its customers. I have to say that it does feel like a long time, and, of course, during that time we have seen what has happened to customers’ data.

As I was saying a few moments ago, it is clear that no business wants to harm its customers or be victims of a cyber-attack, particularly those with a proven long and positive relationship with their customers, as in fact South Staffs Water does have. Not only were cyber-defences not strong enough, but I have been clear, and the company recognises, that the communications and response from the company were not as appropriate or as user-friendly as many of us would and should have expected.

I, too, was a victim of this situation as a Cambridge Water customer. On the communications point, it was lengthy and detailed, but for many customers I suspect it was intimidating. Does the hon. Gentleman agree that it would be better if the company had just said, “There is a problem. You can find out more here, but don’t worry, whatever happens, we will sort it out for you”?

The hon. Member is right, although I would not want to oversimplify the extent of the problem. The company has acknowledged that the response was not appropriate. It has accepted the critique and a number of the suggestions I made, and on the back of that, it has committed to making some improvements. I have yet to hear what those improvements will look like, but he is correct in what he says. Given the spectrum of customers that the company serves, we also need to think about tailored responses to different people, given the predicaments some of them may be in.

Several constituents have reached out to me with real anxieties and concerns, as have other Members. Picture this, if you will, Mr Deputy Speaker. You are an elderly resident with little or no access to IT or no IT literacy, and you have just received a six-page letter with instructions you are unable to deal with. It is a long and complicated letter—with very small font, I might add; something that even I would struggle with—with important information hidden several pages deep. You establish in the first page that your banking details and other personal details have been sold on a wholly unlawful area on the internet known as the dark web. You are told that criminals might take large sums of money from your accounts. Furthermore, upon reading the reams of prose, you find out you can only seek to protect yourself on the internet—something you might not even have access to. You may also be a vulnerable customer who perhaps receives care support in independent settings, but be wholly unprepared and unable to deal with something this complicated and even alien to the life you experience daily.

My hon. Friend has mentioned those who do not have access to internet or emails. I contacted South Staffs Water—I, too, have constituents affected by this cyber-attack—and it advised that these constituents would need to apply for paper copies of their records from three different credit reference agencies, and they would also need to verify their identity first. Does he agree that this will cause a considerable amount of work for those in these situations, particularly as they will presumably have to do this regularly to ensure they have up-to-date records?

My hon. Friend is right. All I can say is that the situation is clearly unacceptable, and the senior management team at the company now agree that their initial response was not adequate or appropriate. They physically have not had the time to address these concerns yet, but we should all be looking on behalf of our constituents to ensure that their response takes on board all these considerations.

Picturing yourself again as this vulnerable customer, Mr Deputy Speaker, you are then advised that to secure your data, you should register with another organisation called CIFAS—this was one of the things mentioned in the letter—at an additional personal cost, it was suggested by the company, of £25 a year. You are asked to then release yet more personal data on to the internet. That angered me somewhat, and it was one of the first things I mentioned to the chief executive. Their immediate response was, “We have withdrawn that. We are writing again to customers, and we have removed that, as it has created confusion. We should not have done it”, and that is part of the package that the company will be coming back with in support of its customers.

When a data breach such as this has happened, one cannot simply let it go, because it can affect credit ratings, which can in turn affect an individual’s ability to apply for credit, whether a loan, credit card, mortgage or even a mobile phone contract. It could lead to a household finding itself unable to pay for household bills, groceries, electricity or heating. Should the worst happen, a data breach could lead to an individual or family finding themselves severely impoverished through no fault of their own—that point must be emphasised.

I know that I would panic and be extremely anxious, and I am sure that you would be as well, Mr Deputy Speaker, should you have found yourself in such a situation. As many of us in the House will know, good, easy to read and user-friendly communications are vital for keeping our constituents informed and with peace of mind. That is why, after I met South Staffs Water, it acknowledged shortcomings in its initial communications with its customers, and I am assured at this point that it is taking serious steps to mitigate the anxiety caused and ensuring that its customers are supported. I have also asked it to make special arrangements—I do not know yet what they will look like—to reach out to some of those more vulnerable customer groups that I mentioned.

Those of us with constituents who are customers of South Staffs Water and Cambridge Water know that what is needed is better access to over-the-phone support and in-person community support—events and surgeries —to give the best support to the hardest-to-reach members of our communities and to proactively reach those who may not know how to respond to a data breach letter. We must ensure that those who may be less comfortable accessing support online, and indeed those who cannot do so, are not left out in the cold.

I am pleased that, having met South Staffs Water, it has committed to upping its game and is taking better action to support our constituents. What are businesses doing to support our constituents by future-proofing themselves against cyber-attacks? What are the Government doing to assist businesses in that endeavour, and indeed to protect public services that could be victims of such attacks, ultimately to protect all of our constituents?

I thank my hon. Friend the Member for Dudley North (Marco Longhi) for securing the debate and bringing attention to an important, serious issue that has been worrying a number of his constituents as well as constituents of those hon. Members who made contributions: my right hon. Friend the Member for Aldridge-Brownhills (Wendy Morton), my hon. Friend the Member for Burton (Kate Kniveton) and the hon. Member for Cambridge (Daniel Zeichner). Although my hon. Friend the Member for Dudley South (Mike Wood) cannot speak as he is a Government Whip, I know that he has also been active in contacting his affected constituents.

While cyber-resilience in the water sector is the responsibility of the Secretary of State for Environment, Food and Rural Affairs, I am responding as the Department for Digital, Culture, Media and Sport has responsibility for data protection and cyber-resilience for the wider economy—I know that you were wondering, Mr Deputy Speaker, why I was here once again. The threat to the UK from cyber-attacks is on the increase as evidenced by the sharp rise in ransomware attacks that British companies have suffered in the last few years. Cyber-criminals are increasingly seeing ransomware as a profitable business. The Government are committed to addressing that issue, as evidenced by the national cyber strategy that was published in December 2021.

As my hon. Friend the Member for Dudley North highlighted, in August, South Staffordshire plc—the parent company of South Staffs Water and Cambridge Water—was hit by a cyber-attack that resulted in data extortion and ransom. The criminals also exfiltrated information from the company and attempted to extort it for their own financial gains. The National Cyber Security Centre, which is a part of GCHQ, alongside UK law enforcement and the Department for Environment, Food and Rural Affairs, offered support to South Staffs Water and its incident response provider. In particular, the NCSC’s technical experts offered tactical and strategic guidance on how to effectively respond to and recover from the incident. DEFRA, which is responsible for the security and resilience of the water sector, also responded quickly and worked with South Staffs Water to understand the potential impact, provide business continuity advice and help it with notification requirements.

It is important to note that at no time was the water supply to residents affected. This was an attack on the organisation’s corporate IT system, which resulted in the theft of some customers’ personal data. I extend my sympathies to the customers who were affected and thank my hon. Friend the Member for Dudley North again for taking up this issue with the company on their behalf. As we heard, the company has contacted the affected customers and offered them advice and support, including a free 12-month credit monitoring and fraud alert service.

South Staffs Water made the Information Commissioner’s Office aware of the incident, and the ICO is making the necessary inquiries. Under the UK’s data protection legislation, organisations must take appropriate security measures to ensure the protection of the personal data they hold. That includes the personal and financial details of customers. If there is a breach of personal data that presents a risk to the affected individuals, organisations must notify the ICO within 72 hours of becoming aware of the breach. Breaches of the legislation are liable to enforcement action by the ICO, including fines of up to £17 million or 4% of the organisation’s global turnover for the most serious breaches.

Firms that deliver essential services like the supply of drinking water, transport or electricity are subject to regulations to ensure that their protections are appropriate to the risk. The Network and Information Systems Regulations 2018, or NIS regulations, which the Department for Digital, Culture, Media and Sport brought into effect, are the relevant regulations in this case. The regulations require companies, including South Staffs Water, to take steps to ensure the security, resilience and continuity of their services.

The NIS competent authorities are responsible for ensuring that organisations adhere to the regulations. The competent authority for the water supply sector is the Secretary of State for Environment, Food and Rural Affairs, and implementation is overseen by the Drinking Water Inspectorate. They responded to this incident, alongside the National Cyber Security Centre, to ensure that water remained safe and that the company was supported in its response. The NCSC worked with South Staffs Water by providing guidance on messaging, helping it to understand the potential impact and advising it on business continuity.

Only two weeks ago, the Government announced that following a public consultation, DCMS would strengthen the NIS regulations to boost security standards and increase the reporting of serious cyber-incidents. We will ensure that more services and organisations, including outsourced IT services, come within the scope of the NIS legislation. Those changes will reduce the risk of cyber-attacks causing damage and disruption. The changes to the law will be made as soon as parliamentary time allows.

However, legislation is not a silver bullet to address all cyber-threats. While it is important, it is only one of a broad range of activities, initiatives, programmes, and policies that are in place as part of the UK’s broader national cyber strategy, which was published in December 2021. If we are to limit the likelihood of such attacks being successful in the future, we have to raise the collective security and resilience of the whole country, and make everyone better equipped to resist and respond to those who would do us harm. The security and safety of our country is a top priority of the Government. Our national cyber strategy, backed with investment of £2.6 billion, sets out how the Government are taking action to ensure our people, businesses and essential services are secure and resilient to cyber-attacks. The National Cyber Security Centre is the Government’s technical authority on cyber-security. The NCSC is providing the expertise, advice, tools and support to ensure that government, industry and the public are secure online.

Those in law enforcement, including the National Crime Agency and our specialist cyber-trained officers in police forces across the country, are apprehending cyber-criminals and providing advice on how businesses can protect themselves. My Department is also working to improve levels of cyber-resilience right across the wider economy. That includes ensuring we have the skilled professionals we need, supported by a growing and innovative cyber-security sector that provides the products and services to keep organisations secure. We are also working to ensure organisations are operated and governed in a way that tackles the cyber threat appropriately, for example, by training board members and including digital risks in company annual reports. The Department for Digital, Culture, Media and Sport is also taking action to improve the security of the technology being used by businesses, organisations and consumers.

Given what we have heard today, I again commend my hon. Friend the Member for Dudley North for the way he engaged with the company about the correspondence, which, as I said, has to balance being simple to understand and including the complexities of the case. He was right to address that and I am glad that the company responded to his intervention. He talked about CIFAS. The fact is that that £25 subscription is an additional option. Again, I am glad that, thanks to his encouragement, the company clarified that for people who would, understandably, already be worried about loss and risk. Worrying about having to pay £25 to get support would have been an extra concern, but it is important to emphasise that that is not the case; they get all the support from the water company, but the £25 is an additional option, should they wish to take it up.

Despite your encouragement, Mr Deputy Speaker, I will not go on long today. I am pleased to have had the opportunity to reassure Members that the Government continue to take significant action to ensure the security and resilience of our country’s essential services and the wider digital economy. However, the cyber threat continues to evolve and remains very real, despite the good progress we have made in recent years. In the past 12 months, 39% of businesses and 30% of charities suffered a cyber-breach or attack. Many of them lost money and data, as well as suffering from disruption and having to invest staff time to fix the problems. Cyber-security threats posed by criminals and nation states continue to be acute, particularly from low-sophistication cyber-crime. Ransomware attacks are also on the rise, and their use as a service is becoming more and more prevalent. For that reason, organisations across the economy must ensure they continue to manage their risks appropriately and put in place the measures needed to protect their money, data and operations.

Question put and agreed to.

House adjourned.