Scotland-based low-cost energy company People's Energy has admitted to suffering a cyber attack targeting its IT systems that resulted in hackers accessing the personal information of over 250,000 present and former customers.
Earlier today, People's Energy, which was raised by co-founders David Pike and Karin Sode in 2017 via a crowdfunding campaign to provide low-cost energy to citizens, said it discovered the cyber attack on Wednesday and immediately secured its systems, but not quickly enough to prevent hackers from copying the personal information of hundreds of thousands of present and former customers.
"On Wednesday 16 December, we discovered that an unauthorised third party had gained access to one of the systems we use to store some of our members’ data. As soon as we became aware of what was happening, we acted immediately to close down the route being used to get into our system, and to stop access to any further information," the company said.
According to the company, while hackers were able to access the names, addresses, phone numbers, email addresses, dates of birth, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers of all customers, customers' online accounts continue to be secure and so do customers' financial information such as payment card details.
"Details for all our members were accessed. This includes both current members and former members who’ve used us as their energy supplier in the past. We’re doing everything we can to contact everyone affected to explain what’s happened. We’ve informed the Information Commissioner’s Office and the energy industry regulator, Ofgem. We’re following their guidance, and are keeping them updated on the situation," People's Energy added in an email to customers.
"We take keeping your data safe extremely seriously. Right now, we’re working with a dedicated external security team to add additional protection to our systems. Your financial data is kept in a separate system with enhanced security."
The company is now warning customers that cyber criminals may leverage their stolen personal information, People’s Energy account numbers, tariff details, and gas and electricity meter identification numbers to conduct targeted phishing campaigns by impersonating the company or through other means.
The company has also communicated to customers that some of the emails they are receiving from the company are indeed genuine. These include emails to customers about voting in the upcoming advisory board elections and emails from a partner company concerning the installation of smart meters.
Commenting on the cyber attack targeting People's Energy, Paul Bischoff, privacy advocate at Comparitech.com, said that the company's customers should be on the lookout for targeted phishing messages from fraudsters posing as People's Energy or a related company. They will use the personal information stored in the database to customize messages and make them more convincing. Never click on links or attachments in unsolicited emails, and always verify the sender's identity before responding.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said there must be a fundamental change in mindset regarding information security for all organizations. Risks from cyber-attack need to be taken with the same seriousness as risks from fire or flooding. The reality is that most security compromises are simple attacks of opportunity and every organisation is a viable target for cyber criminals.