Just when everybody thinks that they are free of cybercrime, another UK company bites the dust (almost) and suffers an unexpected data breach. Npower, owned by E.ON, one of the largest energy suppliers in the UK, had its customer app compromised in February this year. The breach involved using login data stolen from another website to access customer accounts via the Npower app.


 Hackers accessed the Npower app using a cyberattack known on the street as ‘credential stuffing.’  Credential stuffing involves obtaining stolen account credentials and using these to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application or website. Credential stuffing is simple and sneaky by design. It does not use brute force or try to guess any passwords. The cyber crook simply automates the logins for thousands or millions of previously used usernames and passwords using standard web automation tools – until they hit the jackpot!


What did Npower do to counter the data breach? Firstly, it took down its Android and Apple mobile app and then notified customers who may have been affected by the data breach, also locking their accounts. Part of a statement from Npower read:

“We identified suspicious cyber activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the Npower app.”

Npower claimed that the withdrawal of the app was already in the pipeline as part of its ‘existing wind-down plans.’ The company did not disclose the number of individuals who may have been affected by the data breach.


Npower stated that hackers may have access to the following information from customers whose accounts were compromised:

  • Personal information including contact details, addresses and date of birth
  • Partial financial information including sort codes and the last four digits of bank account numbers
  • Contact preferences – do you prefer to be contacted by text, email, or phone


To be compliant with the GDPR and UK-GDPR, and remain within the law, any data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours. Npower did this and said:

“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”

and the response from the ICO read:

“Npower has made us aware of an incident affecting their app and we are making enquiries.”

Npower also reported the data breach to Action Fraud, the UK’s national reporting centre for fraud and cybercrime.


As you know, cybersecurity is near and dear to me. At the moment it may seem impossible to stop cybercrime in its tracks. But there are steps you can take to avoid becoming a data breach victim like those loyal Npower customers. And these apply to protecting your data at home and work!

  • Use strong passwords and change them regularly
  • Don’t use predictable passwords such as names and places
  • Use different login credentials for different accounts
  • Don’t use passwords with anyone
  • Use a password manager like LastPass
  • Watch out for phishing emails
  • Monitor your bank account

Also, if you think that you’ve been a victim of cyber fraud, don’t be shy. Immediately report any cybercrime as a result of a data breach to your bank and Action Fraud online.

And I couldn’t agree more with what Helen Knapman, editor at has to say about the Npower affair:

“More and more we’re seeing crooks turn online for the chance to get their hands on your hard-earned cash, whether directly or by stealing personal details which could help them carry out scams – and it appears this is what’s happened in this Npower data breach.

Leave a comment