British energy provider Npower has suffered a data breach exposing customers’ financial and personal data, forcing the company to shut down its mobile app.

Compromised data includes customers’ date of birth, address, contact details, bank sort codes and last four digits of bank account numbers.

Hackers gained access to an unknown number of accounts by using login details stolen from other websites. In such ‘credential stuffing’ attacks, cybercriminals count on people reusing the same passwords across multiple websites and use software to automatically test passwords at scale.

“These are not advanced attacks and the risk can be significantly reduced if online users use unique passwords for each account,” said Adam Palmer, chief cybersecurity strategist at cybersecurity firm Tenable.

“For businesses, these attacks are also one of the reasons they must act quickly to notify consumers of a data breach so steps can be taken to change passwords or monitor accounts.”

Npower, one of the ‘big six’ energy firms, did not say how many customers were impacted by the breach.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

In a statement, Npower said it had contacted affected customers and encouraged them to change their passwords. It said it has also offered advice “on how to prevent unauthorised access to their online account”.

Cybersecurity experts warned that the Npower data breach, first reported by MoneySavingExpert.com, increases the risk of fraud and phishing attacks against those affected.

Npower said it has notified the UK’s data regulator, the Information Commissioner’s Office, and Action Fraud.

“This is a huge lapse of security from Npower, which has put consumers at substantial risk, and it will now be down to the ICO to investigate to figure out whether they deserve a fine,” said Ray Walsh, digital privacy expert at ProPrivacy.

Jake Moore, cybersecurity specialist at internet security firm ESET, said: “Two-factor authentication is another great way to improve the security of accounts, so it is something Npower should consider to better protect their customers.

“In general, it is a good idea to remind people to implement 2FA across all of their accounts, making password stuffing attacks that much harder for cybercriminals.”

Read more: Server “fault” at online casino 32Red exposes personal data to other customers