Swept Under the Rug? Remembering Npower's Self-Inflicted Data Breach from 2018

Customer information is protected by consumer rights and privacy policies that keep identities safe from threats and misuse of such data. When a breach happens, the first concern is identifying whether it causes lasting damage.  Followed by rectifying the problem as soon as possible, but did Npower actually do any of this?


Swindon-based large energy supplier Npower drew flack in 2018 when it suffered a data breach that saw some 5,000 customer details leak via post mailing. The letters contained customer names, addresses, and Feed-In Tariff (FiT) payment amounts for clients with solar panels.


Npower issued an apology as soon as the breach came to light, but the incorrect sharing of customer’s information was a blunder that put a strain on the company’s already record.


Details on the breach


Energy giant Npower was notified by a retired GP regarding their data breach. Dr. Tom Harris, 77, from Somerset shared that the letter he received from the company that had other customers’ details including names, complete addresses, and payment amounts printed on the back portion of his quarterly statement.


The letter was a mailing for the firm’s Feed-In Tariff for customers who had solar panels.

A spokesperson reported that no bank details were disclosed and that the breach was promptly reported to the Information Commissioner’s Office or the ICO. Npower sent envelopes containing the statement for FiT scheme customers for the quarter.


These letters were mailed to clients who owned solar panels and detailed how much money they would be receiving according to the scheme.


The letter


Dr. Harris opened the letter unsuspectingly, seeing that it was correctly addressed to him.  However, he found later that the overleaf contained other customer information and the remaining two A4 sheets had details of three other customers.


In an interview with the BBC, Dr. Harris revealed that the letters should have been sent to people living in Sheffield, Oxford, Bedford, and Gloucestershire. He reached out to Npower, but he noticed that the firm representative didn’t seem to be surprised by the error. It was noted that the company was already aware of similar instances from other customers.


Dr. Harris expressed his concern that his details could’ve gotten to other people, which he feared would lead to identity fraud or at least open a gateway to it. Several other customers voiced the same worries during that time.


This breach came only two weeks after the Competition and Markets Authority gave the go-ahead for the failed Npower-SSE merger. The failed integration was chalked up to the challenging market conditions and default price cap introduced by Ofgem. Also, both companies acknowledged performance issues such as this blunder as another reason for the merger failure.


In January 2016, SSE was fined ÂŁ1,000 by ICO for incorrectly sending the name and account number of a customer to another SSE consumer. The regulator is allowed to issue up to ÂŁ500,000 in fines to companies violating terms of privacy and other violations.

Npower’s statement


The Npower spokesperson was quick to distance the company from the error, saying that the fulfillment partner was responsible for sending the letters. Along with the apology, the firm also revealed that it was conducting an urgent investigation on the data breach that transpired.


Around 5,000 customers’ data was incorrectly shared, to which the firm has profusely asked for understanding and regret.


An ICO spokesperson also made a statement regarding the regulator’s position on the matter, stating that every organisation should alert the ICO within 72 hours in cases of a personal data breach. Under new laws, companies are ordered to divulge such incidents unless there is no risk to people’s rights and freedom.


The ICO had immediately conducted enquiries on the matter, ensuring that no further threat arose from the blunder than Npower could have stopped in the first place.


Under the General Data Protection Regulation of the EU, which was still applicable during that period, fines for similar cases could be as much as 4% of the erring firm’s global annual revenue.