Cyber Incident Victim: Npower
Date:
Feb 2021
Location:
United Kingdom
Summary
A British energy provider suffered a data breach when attackers used stolen credentials from other websites to access customer accounts via credential stuffing, exposing personal and financial details including addresses, dates of birth, contact information, and partial bank account data. The incident forced the company to shut down its mobile app, prompted customer notifications advising password changes, and was reported to relevant authorities amid warnings of heightened fraud and phishing risks. Cybersecurity experts highlighted the attack's reliance on password reuse and noted the absence of two-factor authentication as a vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 26, 2021, British energy provider Npower suffered a data breach resulting from a credential stuffing attack, which compromised customer financial and personal information. Hackers accessed accounts by exploiting login credentials stolen from other websites, leveraging automated software to test reused passwords across multiple platforms. The compromised data included customers' dates of birth, addresses, contact details, bank sort codes, and the last four digits of bank account numbers. This breach forced Npower to shut down its mobile app as a containment measure. The company did not disclose the exact number of affected customers but confirmed it had directly notified those impacted, advising them to change passwords and providing guidance on preventing unauthorized account access. Npower reported the incident to the UK Information Commissioner’s Office (ICO) and Action Fraud, the national fraud reporting center. Cybersecurity experts characterized the attack as unsophisticated, emphasizing that credential stuffing exploits password reuse across accounts. The breach was first publicly reported by MoneySavingExpert.com, raising concerns among analysts about increased fraud and phishing risks for affected individuals.
The incident drew criticism from digital privacy advocates, who described it as a "huge lapse of security" that placed consumers at "substantial risk" and warranted regulatory investigation. Experts urged broader adoption of two-factor authentication (2FA) to mitigate similar attacks, though Npower did not confirm implementing this measure in its immediate response. The company’s public statement focused on incident notification and password reset guidance rather than detailing technical vulnerabilities or system-level remediation steps. Cybersecurity analysts noted that timely consumer notification—a step Npower took—is critical for limiting damage from credential stuffing attacks. Financial data exposure remained partial, as only bank sort codes and partial account numbers were compromised, though this still elevated identity theft risks. The ICO’s potential involvement in assessing regulatory penalties underscored the breach’s severity under UK data protection laws. Npower’s status as one of the "big six" energy firms amplified scrutiny of its security practices following the incident.