NPOWER DATA BREACH
Npower, owned by E.ON, one of the Big 6 energy suppliers in the UK, had its customer app compromised in February this year. The breach involved using login data stolen from another website to access customer accounts via the Npower app. Hackers accessed the Npower app using a cyberattack known on the street as ‘credential stuffing.’
WHAT NPOWER DID
What did Npower do to counter the data breach? Firstly, it took down its Android and Apple mobile app and then notified customers who may have been affected by the data breach, also locking their accounts. Part of a statement from Npower read:
“We identified suspicious cyber activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the Npower app.”
Npower claimed that the withdrawal of the app was already in the pipeline as part of its ‘existing wind-down plans.’ Customers will now have to make payments, view bills and enter meter readings via the Npower website. Customers needed to unlock their accounts by going to Npower.com, clicking on ‘Log in’, and then ‘I’ve forgotten my login details.
The company did not disclose the number of individuals who may have been affected by the data breach.
WHAT DATA WAS ACCESSED?
Npower stated that hackers may have had access to the following information from customers whose accounts were compromised:
- Personal information including contact details, addresses and date of birth
- Partial financial information including sort codes and the last four digits of bank account numbers
- Contact preferences – do you prefer to be contacted by text, email, or phone
ICO INFORMED
To be compliant with the GDPR and UK-GDPR, and remain within the law, any data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Npower did this and said:
“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”
and the response from the ICO read:
“Npower has made us aware of an incident affecting their app and we are making enquiries.”
Npower also reported the data breach to Action Fraud, the UK’s national reporting centre for fraud and cybercrime.
WORDS FROM MONEYSAVINGEXPERT.COM
Helen Knapman, an editor at MoneySavingExpert.com had these wise words to say about the Npower hack:
“More and more we’re seeing crooks turn online for the chance to get their hands on your hard-earned cash, whether directly or by stealing personal details which could help them carry out scams – and it appears this is what’s happened in this Npower data breach.”
She added:
“Anyone, regardless of whether their account has been compromised, should always use different passwords for all of their online accounts – if you struggle to remember them, you can store them in a password manager. If you’re concerned your data may have been accessed, monitor your bank account and also keep an eye on your credit report to see if someone is making false applications for credit in your name.”
WHAT YOU CAN DO
There’s no guarantee that you can bring cybercrime to a halt. But there are things that you can do that will significantly reduce the risk of being the victim of a data breach. Here are a few guidelines, adding to the advice given by Helen Knapman, that will help to keep your data safe and secure at work and at home:
- Use strong passwords and change them regularly
- Don’t use predictable passwords such as names and places
- Use different login credentials for different accounts
- Don’t use passwords with anyone
- Use a password manager like LastPass
- Watch out for phishing emails
- Monitor your bank account
If you think that you’ve been a victim of cyber fraud, don’t be shy. Immediately report any cybercrime as a result of a data breach to your bank and Action Fraud online.
