fbpx

People’s Energy Data Breach

THIS ACTION IS NOW CLOSED

People’s Energy was affected by a cyber security data breach when an unauthorised third party gained access to its systems. This page explains how the People’s Energy data breach happened. 

What happened in the People’s Energy data breach?

In December 2020, People’s Energy suffered a data breach which affected every single one of its 270,000 customers. The breach happened when hackers stole a database from People’s Energy. The data stolen included customer:

15 small-business customers also had their bank accounts and sort codes accessed. All 270,000 current customers were contacted following the data breach. 

The email from People’s Energy said:

“We’re very sorry to tell you that on the 16th December People’s Energy was affected by a cyber security data breach.

“No financial information, bank account details, or People’s Energy online account passwords have been compromised for any domestic customers. However, some personal details were accessed. These include member names, addresses, email addresses, telephone numbers, dates of birth, People’s Energy account numbers, tariff details, and meter identification numbers.

“We have acted quickly and informed the Police, Information Commissioner and Ofgem. We’re following their advice in dealing with this situation.

“Given the importance of this message, we are trying to send as fast as possible via multiple channels, therefore you may receive this communication more than once.

“We have implemented additional security measures to protect your data

“We have identified how our systems were accessed and the gap in our security has been closed. We’re also working with a dedicated security team to add further protection to our systems.

“You will also be asked for more details than normal when you contact us – this is standard procedure to help us make sure we know we are talking to you, our member.”

Victims of the People's Energy data breach were at risk

People’s Energy warned victims of this breach to be cautious. It said:

We would ask you and all our members to be cautious, as it is possible that someone might try to contact you with the details they have accessed. If you are suspicious about any communication coming from People’s Energy or pretending to come from People’s Energy, you should contact our member helpline and let us know.”

People’s Energy also set up a dedicated team to help customers following the breach. 

Our expert opinion

Commenting on the People’s Energy data breach, Kingsley Hayes, leading data protection expert said:

“A spokesperson for People’s Energy said that the business was “extremely upset” that the breach occurred and has highlighted its ‘Community Interest*’ status as evidence that it puts its customers and community first. Unfortunately, with the impact on customers potentially significant and distressing, good intentions are no defence if it is found that poor security made the criminal attack possible. Today, businesses of all types and sizes will likely fall victim to a cyberattack at some point. So, every company must do all it can to protect customers from data theft.”

*A community interest company is a company recognised under the Companies Act 2004, that aims to use its profits and assets for the public good.

People’s Energy Data Breach Timeline

  • 16 December 2020
    People’s Energy was affected by a cyber security data breach when an unauthorised third party gained access to its systems. The company informed the Information Commissioner’s Office and the energy industry regulator, Ofgem.
  • 17 December 2020
    People’s Energy emailed customers to let them know that their privacy has been violated.
  • September 2021
    British Gas took on customers of People’s Energy after the supplier failed. People’s Energy made large losses in the three years before its administration.

Your questions answered

See our answers to the FAQs we get asked about the People’s Energy data breach.

How did the security incident happen?

The breach occurred after cybercriminals targeted the company’s IT systems. During this attack, the hackers accessed and copied the personal information of over 250,000 current and former customers. The cybersecurity data breach happened on 16 December 2020. 

How many people were affected?

The People’s Energy data breach affected every one of its current customers; it could have also affected previous customers. Fifteen small-business customers were also put at risk.

What data was accessed?

The stolen information included:

No financial information, bank account details, or People’s Energy online account passwords were compromised for any domestic customers. However, the 15 small-business customers had their bank accounts and sort codes accessed.

Was my information accessed in the breach?

Affected customers were contacted to alert them to the privacy violation.

How did People's Energy respond to the breach?

Following the breach, People’s Energy informed the Police, the Information Commissioner and Ofgem. It also launched an internal investigation into why the breach happened. The company also implemented additional security measures to protect customer data from further harm.