British energy provider Npower has suffered a data breach exposing customers’ financial and personal data, forcing the company to shut down its mobile app.

Compromised data includes customers’ date of birth, address, contact details, bank sort codes and last four digits of bank account numbers.

Hackers gained access to an unknown number of accounts by using login details stolen from other websites. In such ‘credential stuffing’ attacks, cybercriminals count on people reusing the same passwords across multiple websites and use software to automatically test passwords at scale.

“These are not advanced attacks and the risk can be significantly reduced if online users use unique passwords for each account,” said Adam Palmer, chief cybersecurity strategist at cybersecurity firm Tenable.

“For businesses, these attacks are also one of the reasons they must act quickly to notify consumers of a data breach so steps can be taken to change passwords or monitor accounts.”

Npower, one of the ‘big six’ energy firms, did not say how many customers were impacted by the breach.

In a statement, Npower said it had contacted affected customers and encouraged them to change their passwords. It said it has also offered advice “on how to prevent unauthorised access to their online account”.

Cybersecurity experts warned that the Npower data breach, first reported by MoneySavingExpert.com, increases the risk of fraud and phishing attacks against those affected.

Npower said it has notified the UK’s data regulator, the Information Commissioner’s Office, and Action Fraud.

“This is a huge lapse of security from Npower, which has put consumers at substantial risk, and it will now be down to the ICO to investigate to figure out whether they deserve a fine,” said Ray Walsh, digital privacy expert at ProPrivacy.

Jake Moore, cybersecurity specialist at internet security firm ESET, said: “Two-factor authentication is another great way to improve the security of accounts, so it is something Npower should consider to better protect their customers.

“In general, it is a good idea to remind people to implement 2FA across all of their accounts, making password stuffing attacks that much harder for cybercriminals.”


Read more: Server “fault” at online casino 32Red exposes personal data to other customers