UK energy supplier People’s Energy has suffered a data breach affecting its entire database, including information on previous customers.
Co-founder of the company, Karin Sode, told BBC News that sensitive personal information of its customers, including names, addresses, dates of birth, phone numbers, tariff and energy meter IDs had been stolen by hackers. Following discovery of the breach on Wednesday morning, it has contacted all its 270,000 current customers to inform them of the breach.
Additionally, the hackers accessed the bank accounts and sort codes of 15 small business customers, and People’s Energy said it had contacted them separately by phone. No other customers had their financial information accessed.
The firm added it has informed the Information Commissioners Office (ICO) of the breach, as well as the National Cyber Security Center (NCSC) and the police. It is now working with independent experts to investigate how the breach occurred and identity of the attackers.
Quoted by the BBC, Sode said: “This is a big blow in every way. We want people to feel they can trust us. This was not part of the plan. We’re upset and sorry.”
Most of those affected are unlikely to face any direct financial risk, but will likely be at risk of targeted phishing attacks in the future.
Commenting, Paul Bischoff, privacy advocate at Comparitech.com, said: “Every data breach is cause for concern, but we should be particularly worried about attacks on critical infrastructure. In the coming days, I hope the attacker can be identified so we know whether this was a nation state threat actor or just an independent hacker looking for low-hanging fruit. Thankfully, People’s Energy’s actual service infrastructure was unaffected, and the vast majority of victims had none of their financial information stolen.
“People’s Energy customers should be on the lookout for targeted phishing messages from fraudsters posing as People’s Energy or a related company. They will use the personal information stored in the database to customize messages and make them more convincing. Never click on links or attachments in unsolicited emails, and always verify the sender’s identity before responding.”
Chris Hauk, consumer privacy champion at Pixel Privacy, added: “Data breaches like the one suffered by People’s Energy emphasizes the need for companies big and small to harden their systems against breaches of this sort. People’s Energy should be applauded for not wasting any time in alerting their customers and officials to the breach. This upfront admission could help prevent their customers from being phished by the bad actors that performed the breach.”
People’s Energy is the latest of a number of businesses that have experienced large-scale data breaches this year, including Marriot International, Experian and easyJet.