In late February, it was revealed that some customers of energy company Npower had suffered hacks of their accounts via the customer app that affected its users’ private data. The company has not put a number on the victims affected, but it is believed that the attack took place in early February, after which those affected were notified of their involvement. It is currently understood that Npower is not to blame for the hack, with no evidence that the company has breached data protection law. We will outline how the hacks happened in this article. Nevertheless, those with hacked Npower accounts are at immediate risk of fraud, with criminals targeting accounts to try to break into them as opposed to successfully breaking into Npower’s own servers and systems.
As advocates of data security, we believe it is important to highlight the risks Npower app users have been exposed to, even where the company is found to not be at fault for what has happened. Even if you have not been affected by the cyberattack, it still offers a valuable lesson about the risks of data exposure and the actions we can take as individuals to protect our personal data, and how criminals can target accounts to break into them.
Hack prompts Npower to close down app
Though the exact nature and scale of the attack have not been revealed, customers have been informed of the data that has been stolen from their hacked Npower accounts, which can include:
- contact details;
- dates of birth;
- contact preferences (whether customers prefer to be contacted by email, text or phone call);
- partial bank account details, including sort codes and the last four digits of account.
Following the attack, Npower closed down the app and has chosen to keep it shut down, given that they were intending to deactivate it only weeks after the hack occurred in any event. This sensible course of action has hopefully helped to prevent more information misuse.
Hacked Npower accounts and the risks of reusing passwords
The ICO is investigating the issue over hacked accounts, but Npower has already identified the type of attack. The hackers used a technique called credential stuffing, which involves inputting login details, often exposed from other websites and accounts, to see if access can be granted where people re-use credentials on more than one site. As such, the breach highlights how important it is for consumers to use as many different passwords as they can across their online accounts.
We understand that this can be difficult, given that many of us have dozens of accounts with different companies, but you do not want to put yourself at risk of having all your accounts hacked simply because one password has been stolen or exposed. Those with hacked Npower accounts are now at risk of information misuse, and need to watch out for scam calls, phishing emails and unauthorised transactions on their accounts.
While you cannot entirely prevent risks such as this, it is important to make it more difficult for fraudsters to target you by making your passwords as secure as possible.
Taking action after a cyberattack
Anyone with hacked Npower accounts should take immediate action to secure their other accounts and passwords where necessary. In fact, credential stuffing is a common form of hacking technique which all of us should remain conscious of when setting up online accounts. Anyone who has fallen victim to this hack may well have their credentials already exposed and should check all their accounts and secure them with strong and unique credentials on each platform. Make use of multi-factor authentication and login event notifications too.
As advocates of data security, we have helped many claimants to recover compensation for breaches of data privacy. Where the law has been breached, this is can be a victim’s next step in taking action to ensure those responsible are held to account.
If you need advice on a potential compensation claim, call us today for free or register your details for a call-back.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.
First published by Author on June 29, 2021
Posted in the following categories: Claims Cybersecurity Data GDPR Hacking News Latest Security and tagged with cyber attack | cyber crime | cybersecurity | data breach | data controllers | online security | personal data