Cyber Incident Victim: British Gas

On October 28, 2015, British Gas notified approximately 2,200 customers that their email addresses and account passwords had been exposed online. The company confirmed the credentials appeared on the document-sharing platform Pastebin before being removed. British Gas disabled all affected accounts upon discovery. The compromised credentials permitted access to customer names, addresses, and historical energy bill details, but the company emphasized no banking information, payment card data, or financial records were exposed due to separate secure storage protocols. In communications to impacted users, British Gas explicitly denied any breach of its internal systems, stating, "there has been no breach of our secure data storage systems" and that payment data remained encrypted and secure. The company’s investigation concluded the leaked credentials did not originate from its infrastructure.

British Gas initiated customer notifications before fully verifying whether all published credentials were functional, leaving open the possibility that fewer accounts were actually compromised. With 14.7 million total customer accounts, the incident affected approximately 0.015% of its user base. The company proposed two potential origins for the credentials: reuse of passwords from unrelated third-party breaches or acquisition via phishing campaigns targeting customers. No forensic evidence confirming either hypothesis was disclosed. Affected customers received instructions to contact British Gas by telephone or to perform password resets through the company’s official website. The incident did not disrupt service for non-compromised accounts, and British Gas maintained operational continuity throughout its response. No regulatory penalties, legal actions, or additional systemic vulnerabilities were reported in connection with the exposure.