NPower Shuts Down App After BreachUK Power Company Says Banking Data Exposed
British energy firm NPower has shut down its customer app after hackers accessed sensitive personal data, MoneySavingExpert.com reported on Thursday.
The news site says it learned of the hack after NPower sent an email on Feb. 2 alerting its customers about the app shutdown following unauthorized access to data.
The exposed data includes customers' personal details, such as date of birth and address and partial financial data - including bank sort codes and the last four digits of their bank account numbers. The hack is being investigated by the Information Commissioner's Office, the news site reports.
NPower did not immediately respond to a request for more details about the security incident.
One of the leading energy companies in Britain, Npower provides electricity and gas services to an estimated 3.6 million residential and business accounts in the country. The company is part of E.ON group, a European electric utility company based in Essen, Germany.
Because NPower is involved in many high-tech, high-value projects, it's clear why they were seen as a valuable target, says Dirk Schrader, global vice president of business development at Georgia-based New Net Technologies. "The attackers are roaming around within the compromised network infrastructure before they start to encrypt things. In consequence, this incident has some dangerous potential to become even more significant as the investigation is ongoing."
Ray Walsh, digital privacy expert at U.K.- based privacy advocates ProPrivacy, says hackers can use the exposed credentials for phishing schemes and other malicious attacks. "The probability that consumers will also now receive phishing emails is high, so it is essential that consumers watch their inboxes carefully for any emails that coerce them into following links or ask for personal information," Walsh says.
Npower could receive a substantial fine from U.K. data regulator ICO for violating the General Data Protection Regulation by not adequately safeguarding its clients’ data, Walsh says. "This is a huge lapse of security from Npower, which has put consumers at substantial risk, and it will now be down to the ICO to investigate to figure out whether they deserve a fine."
Targeting Energy Utilities
Over the past several years, security researchers have noted an uptick in hackers targeting electrical and power utilities in the U.S. and elsewhere.
In July 2020, security firm Proofpoint uncovered a spear-phishing campaign that targeted several U.S. energy providers in an attempt to spread a recently discovered remote access Trojan called FlowCloud (see: US Energy Utilities Targeted by FlowCloud Malware).
In March, the European Network of Transmission System Operators for Electricity, which represents over 40 electricity transmission operators throughout the continent, revealed that hackers penetrated its IT network (see: Hackers Target European Power Association).