British Gas Customers’ Data Exposed in Mystery Attack

Over 2,000 British Gas customers have been notified by the utilities provider that their email addresses and account passwords have been posted online by a third party.

If accessed by a malicious attacker, the information could be used to view customers’ names, addresses and previous energy bills and therefore help them craft convincing phishing emails or follow-up phone scams.

However, British Gas claimed in an email warning around 2,200 of its 14m+ customers that it wasn’t to blame.

According to the BBC, it noted:

"I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk. As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas."

The data in question has since been taken off Pastebin, although question marks will now be raised over where it came from.

It’s possible, as the report suggests, that the data came from a separate breach if the hackers checked to see if users shared credentials across their online accounts.

James Maude, senior security engineer at Avecto, argued that attackers may have taken data from the TalkTalk breach to access British Gas accounts, for example.

“This type of targeted attack is common practice now as it allows criminals to build a much more detailed profile of a victim in order to gain access to their bank accounts or steal their identity,” he said.

“More worryingly, with the rise of smart meters, energy patterns may show when someone is not at home.”

However, posting to Pastebin suggests those behind the incident were trying to make mischief rather than money—which makes it strange that there wasn’t a message from them explaining their motives.

Another suggestion is that, due to the small number of those affected, the data may have come from a specific phishing campaign against British Gas users.

What’s Hot on Infosecurity Magazine?