Data Breach at People's Energy Impacts 270,000 Customers

A pre-Christmas data breach at supplier People’s Energy has exposed the personal information of all 270,000 customers, the firm acknowledged.

Hackers gained access to an entire database, containing customers’ names, addresses, dates of birth, phone numbers, People’s Energy account numbers, tariff information and gas and electricity meter IDs, People’s Energy co-founder Karin Sode told BBC News. The firm discovered the breach on 16 December.

However, no financial information was accessed, except for a small number of business energy customers. Online People’s Energy account passwords also remain secure.

Domestic customers are unlikely to face any direct financial risk as a result of the hack but could be more vulnerable to phishing attacks, when fraudsters pose as official sources, using the personal details they have to gain more, including bank account details.

People’s Energy has contacted all of its domestic customers to make them aware of the cyberattack. It is advising customers to be wary of suspicious contact and take care when responding to emails and phone calls unless they can verify the source. The supplier has also set up dedicated phone and email helplines for customers concerned about the data breach.

Additionally, hackers accessed the bank account numbers and sort code of 15 small business customers. The supplier has contacted them by phone.

The Edinburgh-based firm has also notified the Information Commissioner's Office, the National Centre for Cyber-Security, the energy regulator Ofgem and the police. But as of before Christmas, the firm had no information about the identity of the hackers.

Sode founded the firm with David Pike in 2017 to supply sustainable energy and return 75% of all profits to its customers.

A spokesperson for People’s Energy said the firm is “extremely upset” about the data breach, adding that the supplier is a Community Interest Company and takes pride in “putting our customers and community first.”

“We take the safety of our customers’ data very seriously and are very sorry that this criminal attack has affected so many people.”

“This is a big blow in every way,” Sode said. "We want people to feel they can trust us. This was not part of the plan. We're upset and sorry.”