Utility supplier People’s Energy has entire customer list stolen

Personal data on all 270,000 customers of Scotland-based renewable energy supplier People’s Energy have been stolen in a “cyber security data breach” of an undisclosed nature.

The breach is understood to have unfolded on 16 December 2020 when the company found an unauthorised third party had gained access to its data storage systems. It affects both current customers and former customers who have used People’s Energy as their supplier in the past.

Karin Sode, co-founder of the supplier, told the BBC the breach was a “big blow” and that the company wanted its customers to feel they could trust them. “We’re upset and sorry,” she said.

In a statement to its customers, the company said: “As soon as we became aware of what was happening, we acted immediately to close down the route being used to get into our system, and to stop access to any further information. 

“We’ve informed the Information Commissioner’s Office and the energy industry regulator, Ofgem. We’re following their guidance and are keeping them updated on the situation.

“Certain personal details of our members were accessed. This includes names, addresses, phone numbers, email addresses, dates of birth, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers.

“We’re confident that for domestic members, no access was gained to any financial information, and members’ bank details are safe and secure,” the firm said.

People’s Energy said it had identified how its security was compromised and addressed the breach.

“This year has seen a rise in cyber criminal activity, and People's Energy is the latest business to fall victim to an attack. Data breaches of this scale can have a significant impact on a business, leading to loss of customer trust but also the potential for expensive private litigation, which we’ve seen in the recent British Airways case,” said Egress CEO Tony Pepper.

“Organisations have a duty of care to ensure that sensitive data remains secure, and they must be proactive in putting place the right technology and security strategy to protect their customers’ data.

“Unfortunately, the amount of personal data that was taken could leave People’s Energy customers vulnerable to phishing attacks in the future.

“Consumers should remain vigilant to follow-up phishing attacks by checking the email address on any emails they receive, and hovering over any links before they click. Our advice would always be: if you receive an email asking for sensitive personal data or financial details, always ensure that you're 100% sure it's legitimate before you proceed,” said Pepper.

Chris Clements, vice-president of solutions architecture at Cerberus Sentinel, added: “There must be a fundamental change in mindset regarding information security for all organisations. Risks from cyber attack need to be taken with the same seriousness as risks from fire or flooding. The reality is that most security compromises are simple attacks of opportunity and every organisation is a viable target for cyber criminals.

“The same way organisations invest in fire suppression and alarm systems they also must consider cyber security protection and monitoring as part of the cost of doing business. It’s critical that this start with adopting a culture of security from executive management to individual line of business contributors.”

A relatively new entrant to the UK’s burgeoning renewable energy market, People’s Energy was set up by Sode and her partner, David Pike, in 2017 after growing tired of the Big Six energy providers.

The couple, from East Lothian, crowdfunded their venture to the tune of almost £500,000 in just 199 days, and redistribute 75% of the company profits to its customers – who are in effect shareholders – as an annual rebate.