Major UK energy supplier, Npower, has had to scrap its app after cybercriminals stole sensitive customer information, including financial data. Having first been reported by MoneySavingExpert.com, Npower has stated customer information was exploited after login details were taken from other websites.
This common cyberattack tactic – known as credential stuffing – allowed the hackers to gain access to customer accounts. Npower had confirmed that not all accounts were accessed and that the customers that were have since been contacted about the breach and had their accounts locked.
It is still unclear how the breach occurred, but the hackers were able to view personal information, partial financial information, and contact preferences. The Information Commissioners Office (ICO) has been notified in accordance with GDPR and an investigation is underway.
The Npower app will remain shut down (which was planned to happen after the acquisition by Eon) with the company ensuring that a similar attack will be avoided. It has also informed that all customers must continue to use the website services as normal.
Further advice provided by Npower requires all users to change their passwords on all other accounts and to ensure that the same password is not being used on the same accounts. Users should also be on alert for any potentially fraudulent or suspicious activity with their bank accounts.
If you think you’ve been a victim of fraud, report it to Action Fraud online at actionfraud.police.uk or by calling 0300 123 2040.
Providing further insight and advice are the following cybersecurity experts:
James McQuiggan, security awareness advocate at KnowBe4:
“We all know it’s easier to ..