UK energy company Npower has permanently closed its mobile app, after finding that hackers had used it to steal sensitive information from customers.
The company will not bring the app back on-line in the future, as it was due to be withdrawn anyway within the next few weeks following Npower’s acquisition by Eon.
Users can continue to access their accounts by logging in on the Npower website.
Money Saving Expert
The Npower data breach was 1st reported by Money Saving Expert, which claimed the unauthorised access likely happened before 2nd Feb. 2021.
Npower did not reveal how many accounts were affected but informed the BBC that all affected accounts had been locked.
The company said its IT teams identified suspicious activity affecting the mobile app, & an initial investigation revealed that unidentified cyber players used a ‘credential stuffing’ type attack to access customer accounts using login data stolen from another website.
The hackers may have been able to view users’ personal information, partial financial information & contact preferences.
Npower outlined that it has informed all affected customers & advised them to change their passwords as soon as possible. These customers are also being asked to change their passwords on other accounts if they were using same passwords on multiple services.
Npower explained that there was no risk to users’ bank accounts with the limited information that was accessed & added that it has informed the Information Commissioner’s Office about this attack.
Action Fraud, the UK’s national fraud reporting service, advised Npower customers to remain cautious for potential phishing emails, & to report any suspicious activity to law-enforcement.
This is not the only security breach affecting Npower users.
In Sept. 2018, the personal details of around 5,000 customers were revealed in an issue that saw names, addresses & payment details emailed to the wrong account holders.
Commenting on this newest breach, Adam Palmer, Chief Cyber-Security Strategist at cyber-security company Tenable, observed, “The attack against the Npower app is just the most recent example of cyber-criminals using previously stolen or leaked consumer data to launch additional attacks.
“Known as ‘credential stuffing’, attackers inject large amounts of stolen passwords or IDs against other accounts with the goal that a small number will successfully allow access to the victims’ accounts. This attack is successful because many consumers use the same credentials for multiple accounts, the equivalent of using the same key for multiple locks.
“These are not advanced attacks & the risk can be significantly reduced if online users use unique passwords for each account. For businesses, these attacks are also one of the reasons they must act quickly to notify consumers of a data breach so steps can be taken to change passwords or monitor accounts.
Actively assessing systems for exploitable vulnerabilities to remediate can close potential data leak sources before a breach occurs.”
James Smith, Principal Security Consultant & Head of Penetration testing at Bridewell Consulting, explained –
“This attack on Npower is incredibly serious but unfortunately not surprising. The attack surface area of the UK’s energy sector is vast, as more than two-thirds have made their Operational Technology (OT) systems accessible over the internet.’
Highly Sensitive Data
“In this instance, customers have lost highly sensitive data which was Npower’s responsibility to protect. With the rate of attacks increasing as they are, the consequences could become even more severe…’
“It’s not just the energy sector that is at risk, but the UK’s critical national infrastructure as whole – including healthcare, water, aviation and more, and the consequences of these attacks can put public safety at real risk, including a threat to loss of life.’