Cyber Incident Victim: Innogy

On February 26, 2021, British energy provider Npower, part of the 'big six' UK energy firms, disclosed a data breach resulting from a credential stuffing attack. Cybercriminals exploited login credentials stolen from unrelated websites to gain unauthorized access to customer accounts, leveraging automated software to test reused passwords at scale. The compromised data included customers' dates of birth, addresses, contact details, bank sort codes, and the last four digits of bank account numbers. Npower did not publicly specify the number of affected accounts but confirmed the breach forced the shutdown of its mobile app as a containment measure. The company stated it had directly notified impacted customers, advising them to change passwords and providing guidance to prevent further unauthorized account access. Cybersecurity experts characterized the attack as unsophisticated, emphasizing that credential stuffing exploits predictable password reuse across multiple platforms.

Npower reported the incident to UK authorities including the Information Commissioner’s Office (ICO) and Action Fraud, initiating a regulatory investigation. Cybersecurity analysts warned the exposed data elevated risks of fraud and phishing campaigns targeting affected customers. ProPrivacy’s Ray Walsh criticized Npower’s security lapse for creating substantial consumer risk, while ESET’s Jake Moore highlighted the absence of two-factor authentication as a preventable vulnerability. The breach drew public attention after initial reporting by MoneySavingExpert.com. Npower’s response included customer notifications and password-reset directives but omitted implementation timelines for enhanced security measures like multi-factor authentication. Industry observers noted the incident underscored broader challenges in mitigating credential-stuffing threats despite existing awareness of basic password hygiene practices.