Npower security breach spills personal details of 5,000 customers - by post

Old-fashioned data breach being investigated by energy giant

Npower has admitted spilling the personal details of around 5,000 customers in a glitch that saw names, addresses and payment details emailed to the wrong account holders.

The energy giant is conducting an investigation.

"We're urgently investigating how this occurred with our fulfilment partner, who sent the mailing on our behalf. We apologise for this error, especially to the customers whose information was incorrectly shared - around 5,000 in total," an Npower spokeswoman said.

The company has also informed the over-worked Information Commissioner's Office (ICO) of the breach.

When I opened it the front page was addressed to me but overleaf were personal details of another customer

An ICO spokesperson said: "Under new laws, organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms."

One customer who received a letter over the weekend was retired GP Dr Tom Harris, from Somerset, who told the BBC: "When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others.

"They should have gone to people living in Gloucestershire, Sheffield, Oxford and Bedford."

The 77-year-old said when he contacted Npower "they didn't seem unduly surprised" and that the company "was aware of other people in the same situation".

The Npower data breach comes as security consultants have warned about a gang that has compromised payment pages on thousands of commerce websites since they were first identified in 2015.

The hackers, believe RiskIQ, were responsible not just for the recent British Airways security breach, which spilled payment details of some 380,000 customers at the end of August and beginning of September, but also the long-running Ticketmaster security breach.