Edinburgh-based electricity supplier People’s Energy has admitted it has suffered a major data breach that has compromised customer data.
The firm touts itself as an affordable and ethical energy provider “that puts people and planet first”. But unfortunately that doesn’t seem to have stopped its entire customer database being stolen by hackers.
The firm made the admission in a blog post on Thursday, in which it discussed the cyber security data breach.
The breach reportedly happened on Wednesday 16 December, and the firm admitted that while no financial information for its domestic members was compromised, some of its members’ other personal information was accessed.
“On Wednesday 16 December, we discovered that an unauthorised third party had gained access to one of the systems we use to store some of our members’ data,” said the firm. “As soon as we became aware of what was happening, we acted immediately to close down the route being used to get into our system, and to stop access to any further information.”
“We’ve informed the Information Commissioner’s Office and the energy industry regulator, Ofgem,” it added. “We’re following their guidance, and are keeping them updated on the situation.”
The firm confirmed to the BBC that its entire customer database has been stolen, and one of the co-founders said she was upset and sorry, and the breach was a big blow in every way.
So what customer data has been compromised?
Well unfortunately it seems like quite a bit, including names, addresses, phone numbers, email addresses, dates of birth, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers.
Online account passwords were apparently not compromised, and neither was customer financial data.
The firm said it was doing everything it can to notify affected customers.
One security expert warned a breach of this scale can have a significant impact on a business.
“This year has seen a rise in cybercriminal activity, and People’s Energy is the latest business to fall victim to an attack,” said Tony Pepper, CEO of security service specialist Egress Software Technologies.
“Data breaches of this scale can have a significant impact on a business, leading to loss of customer trust but also the potential for expensive private litigation, which we’ve seen in the recent British Airways case,” Pepper added. “Organisations have a duty of care to ensure that sensitive data remains secure, and they must be proactive in putting place the right technology and security strategy to protect their customers’ data.”
“Unfortunately, the amount of personal data that was taken could leave People’s Energy customers vulnerable to phishing attacks in the future,” Pepper warned. “Consumers should remain vigilant to follow-up phishing attacks by checking the email address on any emails they receive, and hovering over any links before they click. Our advice would always be: if you receive an email asking for sensitive personal data or financial details, always ensure that you’re 100% sure it’s legitimate before you proceed.”
Another security expert noted that companies now have to apply the same consideration to their cyber security, as they would do for their alarm and fire suppression systems.
“There must be a fundamental change in mindset regarding information security for all organisations,” said Chris Clements, VP of solutions architecture at Cerberus Sentinel.
“Risks from cyber-attack need to be taken with the same seriousness as risks from fire or flooding,” said Clements. “The reality is that most security compromises are simple attacks of opportunity and every organisation is a viable target for cyber criminals.”
“The same way organisations invest in fire suppression and alarm systems they also must consider cyber security protection and monitoring as part of the cost of doing business,” Clements concluded. “It’s critical that this start with adopting a culture of security from executive management to individual line of business contributors.”