Paul Scully – 2022 Speech on the Cyber-Attack on South Staffs Water
The speech made by Paul Scully, the Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport, in the House of Commons on 14 December 2022.
I thank my hon. Friend the Member for Dudley North (Marco Longhi) for securing the debate and bringing attention to an important, serious issue that has been worrying a number of his constituents as well as constituents of those hon. Members who made contributions: my right hon. Friend the Member for Aldridge-Brownhills (Wendy Morton), my hon. Friend the Member for Burton (Kate Kniveton) and the hon. Member for Cambridge (Daniel Zeichner). Although my hon. Friend the Member for Dudley South (Mike Wood) cannot speak as he is a Government Whip, I know that he has also been active in contacting his affected constituents.
While cyber-resilience in the water sector is the responsibility of the Secretary of State for Environment, Food and Rural Affairs, I am responding as the Department for Digital, Culture, Media and Sport has responsibility for data protection and cyber-resilience for the wider economy—I know that you were wondering, Mr Deputy Speaker, why I was here once again. The threat to the UK from cyber-attacks is on the increase as evidenced by the sharp rise in ransomware attacks that British companies have suffered in the last few years. Cyber-criminals are increasingly seeing ransomware as a profitable business. The Government are committed to addressing that issue, as evidenced by the national cyber strategy that was published in December 2021.
As my hon. Friend the Member for Dudley North highlighted, in August, South Staffordshire plc—the parent company of South Staffs Water and Cambridge Water—was hit by a cyber-attack that resulted in data extortion and ransom. The criminals also exfiltrated information from the company and attempted to extort it for their own financial gains. The National Cyber Security Centre, which is a part of GCHQ, alongside UK law enforcement and the Department for Environment, Food and Rural Affairs, offered support to South Staffs Water and its incident response provider. In particular, the NCSC’s technical experts offered tactical and strategic guidance on how to effectively respond to and recover from the incident. DEFRA, which is responsible for the security and resilience of the water sector, also responded quickly and worked with South Staffs Water to understand the potential impact, provide business continuity advice and help it with notification requirements.
It is important to note that at no time was the water supply to residents affected. This was an attack on the organisation’s corporate IT system, which resulted in the theft of some customers’ personal data. I extend my sympathies to the customers who were affected and thank my hon. Friend the Member for Dudley North again for taking up this issue with the company on their behalf. As we heard, the company has contacted the affected customers and offered them advice and support, including a free 12-month credit monitoring and fraud alert service.
South Staffs Water made the Information Commissioner’s Office aware of the incident, and the ICO is making the necessary inquiries. Under the UK’s data protection legislation, organisations must take appropriate security measures to ensure the protection of the personal data they hold. That includes the personal and financial details of customers. If there is a breach of personal data that presents a risk to the affected individuals, organisations must notify the ICO within 72 hours of becoming aware of the breach. Breaches of the legislation are liable to enforcement action by the ICO, including fines of up to £17 million or 4% of the organisation’s global turnover for the most serious breaches.
Firms that deliver essential services like the supply of drinking water, transport or electricity are subject to regulations to ensure that their protections are appropriate to the risk. The Network and Information Systems Regulations 2018, or NIS regulations, which the Department for Digital, Culture, Media and Sport brought into effect, are the relevant regulations in this case. The regulations require companies, including South Staffs Water, to take steps to ensure the security, resilience and continuity of their services.
The NIS competent authorities are responsible for ensuring that organisations adhere to the regulations. The competent authority for the water supply sector is the Secretary of State for Environment, Food and Rural Affairs, and implementation is overseen by the Drinking Water Inspectorate. They responded to this incident, alongside the National Cyber Security Centre, to ensure that water remained safe and that the company was supported in its response. The NCSC worked with South Staffs Water by providing guidance on messaging, helping it to understand the potential impact and advising it on business continuity.
Only two weeks ago, the Government announced that following a public consultation, DCMS would strengthen the NIS regulations to boost security standards and increase the reporting of serious cyber-incidents. We will ensure that more services and organisations, including outsourced IT services, come within the scope of the NIS legislation. Those changes will reduce the risk of cyber-attacks causing damage and disruption. The changes to the law will be made as soon as parliamentary time allows.
However, legislation is not a silver bullet to address all cyber-threats. While it is important, it is only one of a broad range of activities, initiatives, programmes, and policies that are in place as part of the UK’s broader national cyber strategy, which was published in December 2021. If we are to limit the likelihood of such attacks being successful in the future, we have to raise the collective security and resilience of the whole country, and make everyone better equipped to resist and respond to those who would do us harm. The security and safety of our country is a top priority of the Government. Our national cyber strategy, backed with investment of £2.6 billion, sets out how the Government are taking action to ensure our people, businesses and essential services are secure and resilient to cyber-attacks. The National Cyber Security Centre is the Government’s technical authority on cyber-security. The NCSC is providing the expertise, advice, tools and support to ensure that government, industry and the public are secure online.
Those in law enforcement, including the National Crime Agency and our specialist cyber-trained officers in police forces across the country, are apprehending cyber-criminals and providing advice on how businesses can protect themselves. My Department is also working to improve levels of cyber-resilience right across the wider economy. That includes ensuring we have the skilled professionals we need, supported by a growing and innovative cyber-security sector that provides the products and services to keep organisations secure. We are also working to ensure organisations are operated and governed in a way that tackles the cyber threat appropriately, for example, by training board members and including digital risks in company annual reports. The Department for Digital, Culture, Media and Sport is also taking action to improve the security of the technology being used by businesses, organisations and consumers.
Given what we have heard today, I again commend my hon. Friend the Member for Dudley North for the way he engaged with the company about the correspondence, which, as I said, has to balance being simple to understand and including the complexities of the case. He was right to address that and I am glad that the company responded to his intervention. He talked about CIFAS. The fact is that that £25 subscription is an additional option. Again, I am glad that, thanks to his encouragement, the company clarified that for people who would, understandably, already be worried about loss and risk. Worrying about having to pay £25 to get support would have been an extra concern, but it is important to emphasise that that is not the case; they get all the support from the water company, but the £25 is an additional option, should they wish to take it up.
Despite your encouragement, Mr Deputy Speaker, I will not go on long today. I am pleased to have had the opportunity to reassure Members that the Government continue to take significant action to ensure the security and resilience of our country’s essential services and the wider digital economy. However, the cyber threat continues to evolve and remains very real, despite the good progress we have made in recent years. In the past 12 months, 39% of businesses and 30% of charities suffered a cyber-breach or attack. Many of them lost money and data, as well as suffering from disruption and having to invest staff time to fix the problems. Cyber-security threats posed by criminals and nation states continue to be acute, particularly from low-sophistication cyber-crime. Ransomware attacks are also on the rise, and their use as a service is becoming more and more prevalent. For that reason, organisations across the economy must ensure they continue to manage their risks appropriately and put in place the measures needed to protect their money, data and operations.
