Marco Longhi – 2022 Speech on the Cyber-Attack on South Staffs Water
The speech made by Marco Longhi, the Conservative MP for Dudley North, in the House of Commons on 14 December 2022.
Thank you, Mr Deputy Speaker, for allowing this Adjournment debate.
In July this year, South Staffordshire PLC, the parent company of both South Staffs Water and Cambridge Water, experienced a criminal cyber-attack. The incident involved the theft of data from its IT systems. Following the incident, it found evidence that some of its staff and customer data had been accessed. With investigations still ongoing, it has now been confirmed that at least 249,000 customers who pay by direct debit—pretty much all of my Dudley North constituents and myself included—have now seen their personal contact and banking details available on the dark web.
The incident took place in July this year, and customers have only in recent weeks been made aware of the real scale of the damage. I did meet virtually with the South Staffs team yesterday, ahead of this evening’s debate. To their credit, they are seemingly taking the issue much more seriously than initially perceived. It is clear that no business wants to harm its customers or be the victim of a cyber-attack.
Wendy Morton (Aldridge-Brownhills) (Con)
I, too, have constituents who have been affected by this issue. I am a South Staffs Water customer myself, although my bank account details have not been breached. Does my hon. Friend agree that we must be concerned about the amount of time that it has taken between this issue being apparently found out by South Staffordshire PLC and customers being informed? I sincerely hope that South Staffordshire is able to reassure its customers that, when it comes to data, it will continue to take this matter incredibly seriously and do all it can to rectify the matter and continue to protect both my hon. Friend’s constituents and mine.
Marco Longhi
My right hon. Friend is correct. In fact, one aspect of the conversation that I had with the chief executive of South Staffordshire PLC was to challenge that very point. The response was that, at the time of the cyber-attack, it was not aware of the damage that had been caused and how extensive it might have been. It has taken time for it to understand the extent of what had happened. Then it had to respond within a certain timeframe under a duty to its customers. I have to say that it does feel like a long time, and, of course, during that time we have seen what has happened to customers’ data.
As I was saying a few moments ago, it is clear that no business wants to harm its customers or be victims of a cyber-attack, particularly those with a proven long and positive relationship with their customers, as in fact South Staffs Water does have. Not only were cyber-defences not strong enough, but I have been clear, and the company recognises, that the communications and response from the company were not as appropriate or as user-friendly as many of us would and should have expected.
Daniel Zeichner (Cambridge) (Lab)
I, too, was a victim of this situation as a Cambridge Water customer. On the communications point, it was lengthy and detailed, but for many customers I suspect it was intimidating. Does the hon. Gentleman agree that it would be better if the company had just said, “There is a problem. You can find out more here, but don’t worry, whatever happens, we will sort it out for you”?
Marco Longhi
The hon. Member is right, although I would not want to oversimplify the extent of the problem. The company has acknowledged that the response was not appropriate. It has accepted the critique and a number of the suggestions I made, and on the back of that, it has committed to making some improvements. I have yet to hear what those improvements will look like, but he is correct in what he says. Given the spectrum of customers that the company serves, we also need to think about tailored responses to different people, given the predicaments some of them may be in.
Several constituents have reached out to me with real anxieties and concerns, as have other Members. Picture this, if you will, Mr Deputy Speaker. You are an elderly resident with little or no access to IT or no IT literacy, and you have just received a six-page letter with instructions you are unable to deal with. It is a long and complicated letter—with very small font, I might add; something that even I would struggle with—with important information hidden several pages deep. You establish in the first page that your banking details and other personal details have been sold on a wholly unlawful area on the internet known as the dark web. You are told that criminals might take large sums of money from your accounts. Furthermore, upon reading the reams of prose, you find out you can only seek to protect yourself on the internet—something you might not even have access to. You may also be a vulnerable customer who perhaps receives care support in independent settings, but be wholly unprepared and unable to deal with something this complicated and even alien to the life you experience daily.
Kate Kniveton (Burton) (Con)
My hon. Friend has mentioned those who do not have access to internet or emails. I contacted South Staffs Water—I, too, have constituents affected by this cyber-attack—and it advised that these constituents would need to apply for paper copies of their records from three different credit reference agencies, and they would also need to verify their identity first. Does he agree that this will cause a considerable amount of work for those in these situations, particularly as they will presumably have to do this regularly to ensure they have up-to-date records?
Marco Longhi
My hon. Friend is right. All I can say is that the situation is clearly unacceptable, and the senior management team at the company now agree that their initial response was not adequate or appropriate. They physically have not had the time to address these concerns yet, but we should all be looking on behalf of our constituents to ensure that their response takes on board all these considerations.
Picturing yourself again as this vulnerable customer, Mr Deputy Speaker, you are then advised that to secure your data, you should register with another organisation called CIFAS—this was one of the things mentioned in the letter—at an additional personal cost, it was suggested by the company, of £25 a year. You are asked to then release yet more personal data on to the internet. That angered me somewhat, and it was one of the first things I mentioned to the chief executive. Their immediate response was, “We have withdrawn that. We are writing again to customers, and we have removed that, as it has created confusion. We should not have done it”, and that is part of the package that the company will be coming back with in support of its customers.
When a data breach such as this has happened, one cannot simply let it go, because it can affect credit ratings, which can in turn affect an individual’s ability to apply for credit, whether a loan, credit card, mortgage or even a mobile phone contract. It could lead to a household finding itself unable to pay for household bills, groceries, electricity or heating. Should the worst happen, a data breach could lead to an individual or family finding themselves severely impoverished through no fault of their own—that point must be emphasised.
I know that I would panic and be extremely anxious, and I am sure that you would be as well, Mr Deputy Speaker, should you have found yourself in such a situation. As many of us in the House will know, good, easy to read and user-friendly communications are vital for keeping our constituents informed and with peace of mind. That is why, after I met South Staffs Water, it acknowledged shortcomings in its initial communications with its customers, and I am assured at this point that it is taking serious steps to mitigate the anxiety caused and ensuring that its customers are supported. I have also asked it to make special arrangements—I do not know yet what they will look like—to reach out to some of those more vulnerable customer groups that I mentioned.
Those of us with constituents who are customers of South Staffs Water and Cambridge Water know that what is needed is better access to over-the-phone support and in-person community support—events and surgeries —to give the best support to the hardest-to-reach members of our communities and to proactively reach those who may not know how to respond to a data breach letter. We must ensure that those who may be less comfortable accessing support online, and indeed those who cannot do so, are not left out in the cold.
I am pleased that, having met South Staffs Water, it has committed to upping its game and is taking better action to support our constituents. What are businesses doing to support our constituents by future-proofing themselves against cyber-attacks? What are the Government doing to assist businesses in that endeavour, and indeed to protect public services that could be victims of such attacks, ultimately to protect all of our constituents?