UK energy supplier npower’s app has been hacked, and customers accounts accessed including partial bank details.
The attack was first reported on by MoneySavingExpert.com, which found that accounts had been accessed using login data obtained from other websites. This is a technique called credential stuffing, whereby an attacker will use a list of compromised credentials to enter a system.
Personal information including contact details, dates of birth and addresses were accessed, as were customers' sort codes and the last four digits of bank account numbers, but crucially not the full numbers. Contact preferences were also accessed by the hackers.
Emails were sent to customers on 2 February, warning them that their accounts had been locked by third party-access.
npower has now closed its app, and will not relaunch it as it was set to close in the coming weeks anyway. Customers are able to access all the information through the website instead.
With the energy sector becoming increasingly digitalised, the risk of cyberattacks has grown, with a number of high profile hacks in the last year. This includes fellow energy supplier People’s Energy suffering a data breach in an “extremely upsetting” cyberattack in December.
Prior to this Elexon suffered a cyberattack in May, in which documents obtained through the use of ransomware were then leaked on the dark web. This includes files such as images of users' passports, enterprise renewal application forms and analysis data, among other items.
John Vestberg, president and CEO of cybersecurity company Clavister, said the npower breach highlighted that no matter how prepared a company may think they are “cybercriminals will always try to get the upper hand by taking advantage of the weak spots you didn’t know you had".
“The UK has been working from home for almost a year, which means the personal and professional has become more intertwined than ever before – the danger of this is people are likely to be using passwords across personal and business applications as there isn't an obvious mental barrier, like going into and leaving an office is.”
Current± has approached npower for comment.