The personal data of the 270,000 customers of the Scotland-based renewable energy provider People’s Energy have been stolen in an undisclosed “cybersecurity data breach”.
The breach is understood to have developed on December 16, 2020 when the company discovered that an unauthorized third party had gained access to its data storage systems. It affects both current and former customers who have used People’s Energy as their provider in the past.
Karin Sode, a co-founder of the provider, told the BBC that the breach was a “big blow” and that the company wanted its customers to feel they could trust them. “We are upset and sorry,” he said.
In a statement to its clients, the company said: “As soon as we realized what was happening, we took immediate action to close the path used to enter our system and to stop access to any additional information.
“We have informed the Information Commissioner’s Office and the energy industry regulator, Ofgem. We follow your guidance and keep you updated on the situation.
“Certain personal data of our members was accessed. This includes names, addresses, phone numbers, email addresses, dates of birth, People’s Energy account numbers, rate details, and gas and electric meter identification numbers.
“We are confident that for national members, no financial information was accessed, and members’ bank details are safe,” the firm said.
People’s Energy said it had identified how its safety was compromised and addressed the breach.
“This year has seen an increase in cyber criminal activity, and People’s Energy is the latest company to be the victim of an attack. Data breaches of this scale can have a significant impact on a business, leading to loss of customer trust, but also the potential for costly private litigation, as we have seen in the recent British Airways case, “he said. Tony Pepper, CEO of Egress.
“Organizations have a duty to ensure the security of confidential data and must be proactive in implementing the appropriate technology and security strategy to protect their customers’ data.
“Unfortunately, the amount of personal data that was collected could leave People’s Energy customers vulnerable to phishing attacks in the future.
“Consumers should stay tuned for spoofing attacks by checking the email address in any email they receive and hovering over links before clicking. Our advice would always be: if you receive an email requesting confidential personal data or financial details, always make sure you are 100% sure it is legitimate before proceeding, ”said Pepper.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, added: “There must be a fundamental shift in mindset regarding information security for all organizations. The risks of a cyber attack should be taken with the same seriousness as the risks of a fire or a flood. The reality is that most security compromises are simple attacks of opportunity and every organization is a viable target for cybercriminals.
“In the same way that organizations invest in fire alarm and suppression systems, they must also consider cyber security protection and monitoring as part of the cost of doing business. It is critical that this begins with the adoption of a culture of safety from executive management to individual line of business taxpayers. ”
People’s Energy, a relatively new entrant to the burgeoning UK renewable energy market, was created by Sode and its partner, David Pike, in 2017 after tiring of Six’s big energy providers.
The East Lothian couple collectively financed their company to the tune of nearly £ 500,000 in just 199 days and redistributed 75% of the company’s profits to their clients, who are actually shareholders, as an annual refund.