People’s Energy was affected by a cyber security data breach when an unauthorised third party gained access to its systems. This page explains how the People’s Energy data breach happened.
In December 2020, People’s Energy suffered a data breach which affected every single one of its 270,000 customers. The breach happened when hackers stole a database from People’s Energy. The data stolen included customer:
15 small-business customers also had their bank accounts and sort codes accessed. All 270,000 current customers were contacted following the data breach.
The email from People’s Energy said:
“We’re very sorry to tell you that on the 16th December People’s Energy was affected by a cyber security data breach.
“No financial information, bank account details, or People’s Energy online account passwords have been compromised for any domestic customers. However, some personal details were accessed. These include member names, addresses, email addresses, telephone numbers, dates of birth, People’s Energy account numbers, tariff details, and meter identification numbers.
“We have acted quickly and informed the Police, Information Commissioner and Ofgem. We’re following their advice in dealing with this situation.
“Given the importance of this message, we are trying to send as fast as possible via multiple channels, therefore you may receive this communication more than once.
“We have implemented additional security measures to protect your data
“We have identified how our systems were accessed and the gap in our security has been closed. We’re also working with a dedicated security team to add further protection to our systems.
“You will also be asked for more details than normal when you contact us – this is standard procedure to help us make sure we know we are talking to you, our member.”
People’s Energy warned victims of this breach to be cautious. It said:
“We would ask you and all our members to be cautious, as it is possible that someone might try to contact you with the details they have accessed. If you are suspicious about any communication coming from People’s Energy or pretending to come from People’s Energy, you should contact our member helpline and let us know.”
People’s Energy also set up a dedicated team to help customers following the breach.
Commenting on the People’s Energy data breach, Kingsley Hayes, leading data protection expert and Head of Data breach at Keller Postman UK said:
“A spokesperson for People’s Energy said that the business was “extremely upset” that the breach occurred and has highlighted its ‘Community Interest*’ status as evidence that it puts its customers and community first. Unfortunately, with the impact on customers potentially significant and distressing, good intentions are no defence if it is found that poor security made the criminal attack possible. Today, businesses of all types and sizes will likely fall victim to a cyberattack at some point. So, every company must do all it can to protect customers from data theft.”
*A community interest company is a company recognised under the Companies Act 2004, that aims to use its profits and assets for the public good.
See our answers to the FAQs we get asked about the People’s Energy data breach.
The breach occurred after cybercriminals targeted the company’s IT systems. During this attack, the hackers accessed and copied the personal information of over 250,000 current and former customers. The cybersecurity data breach happened on 16 December 2020.
The People’s Energy data breach affected every one of its current customers; it could have also affected previous customers. Fifteen small-business customers were also put at risk.
The stolen information included:
No financial information, bank account details, or People’s Energy online account passwords were compromised for any domestic customers. However, the 15 small-business customers had their bank accounts and sort codes accessed.
Affected customers were contacted to alert them to the privacy violation.
Following the breach, People’s Energy informed the Police, the Information Commissioner and Ofgem. It also launched an internal investigation into why the breach happened. The company also implemented additional security measures to protect customer data from further harm.