Cyber Incident Victim: People's Energy
Date:
Dec 2020
Location:
United Kingdom
Summary
A UK energy supplier experienced a data breach compromising its entire customer database, exposing names, addresses, dates of birth, phone numbers, tariff details, and energy meter IDs for all 270,000 current and former customers. Hackers additionally accessed bank account information for 15 small business clients. The company promptly notified affected individuals, reported the incident to relevant authorities including the ICO and NCSC, and initiated an investigation with external experts. While no operational infrastructure was disrupted and most customers faced no direct financial exposure, the stolen personal data heightens risks of targeted phishing campaigns. Cybersecurity experts acknowledged the breach's severity but noted the firm's transparency in disclosure as a mitigating factor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 18, 2020, UK energy supplier People’s Energy disclosed a data breach impacting its entire customer database, including both current and former customers. The breach was discovered on the morning of December 16, prompting immediate notification to all 270,000 active customers. Hackers accessed sensitive personal information, including full names, addresses, dates of birth, telephone numbers, energy tariff details, and meter identification numbers. For 15 small business customers, attackers additionally obtained bank account numbers and sort codes, though no other financial data was compromised. The company contacted affected business customers individually by phone while issuing broader notifications to residential customers via standard channels. People’s Energy reported the incident to the UK Information Commissioner’s Office (ICO), the National Cyber Security Centre (NCSC), and law enforcement authorities on the day of discovery. Initial statements confirmed the breach did not impact operational energy delivery systems or service infrastructure.
The company initiated an investigation with independent cybersecurity experts to determine the breach’s origin and identify the perpetrators. Co-founder Karin Sode publicly acknowledged the incident as a significant reputational setback, emphasizing the breach contradicted the company’s commitment to customer trust. While most customers faced no immediate financial risk due to the limited exposure of banking details, the compromised personal data created heightened susceptibility to targeted phishing campaigns. Industry analysts noted People’s Energy’s prompt breach disclosure contrasted with delayed notifications seen in other sectors, potentially mitigating secondary exploitation risks. The incident occurred amid a series of high-profile 2020 data breaches affecting companies including Marriott International, Experian, and easyJet, though no technical or attribution links between these events were confirmed in available reporting.