back to article Ethical power supplier People's Energy hacked, 250,000 customers' personal info accessed

Renewable electricity and gas supplier People’s Energy has told its 250,000-plus customers that a “gap” in the security of its IT system was exploited by digital burglars. The British company’s co-founders Karin Sode and David Pike wrote to customers on Thursday morning to confirm that “yesterday People’s Energy was affected …

  1. Imhotep

    We're not Enron - We're Eethical

    "vowed to return 75 per cent of its profits to customers... It has not yet been able to do this."

    Sounds like a similar model to my insurance company/banker which also pays rebates to its associates.

    Might be a little tougher to pull off in the roller coaster energy sector, but if they are indeed debt free and growing, maybe it will happen.

    1. Jellied Eel Silver badge

      Re: We're not Enron - We're Eethical

      Might be a little tougher to pull off in the roller coaster energy sector, but if they are indeed debt free and growing, maybe it will happen.

      Yup, they'll maybe learn some more tricks from the old energy trading ways of Enron. But the vow assumes they'll ever make a profit, which many alt-electron providers don't, and go the way of Enron. See Nottingham's Robin Hood Energy for more info. But the energy sector is awash with greenwash, so-

      Founded in August 2017, People’s Energy buys wholesale leccy from renewable sources, and biomethane from food and farm waste, that it then resells onto consumers.

      Which is a common claim. Reality is a bit different-

      https://www.ofgem.gov.uk/environmental-programmes/rego/about-rego-scheme

      We issue one REGO certificate per megawatt hour (MWh) of eligible renewable output to generators of renewable electricity.

      The purpose of the certificate is to prove to the final customer that a given share of energy was produced from renewable sources. As such, the primary use of REGOs in Great Britain and Northern Ireland is for Fuel Mix Disclosure. FMD requires licensed electricity suppliers to disclose to potential and existing customers the mix of fuels (coal, gas, nuclear, renewable and other) used to generate the electricity supplied.

      So People use 1GWh of electricty. People buys 1000 REGOs. Claim your electrons are 100% Green! Bask in your virtuousness!

      Sadly the reality is somewhat different, at least until these greenwash schemes are actualy coupled to generation by type. So for example-

      https://gridwatch.co.uk/Wind

      Wind, last month: minimum: 0.356 GW maximum: 12.687 GW average: 6.896 GW

      When wind was low, People's customers would have been using 'dirty' nuclear, coal & gas, not 'renewables', because as far as the hardware & network goes, electrons is electrons, and REGOs allow virtue signallers to provide the illusion of Green.

  2. Woodnag

    Dates of birth?

    Under GDPR, why is DOB even legal to be on a 'leccy supplier database?

    1. the spectacularly refined chap

      Re: Dates of birth?

      As an ID check when the customer phones up, possibly to check entitlement to any government mandated benefits - free/subsidised insulation and that sort of thing.

      1. Woodnag

        Re: Dates of birth?

        Sure, but after that the info doesn't have to stay on the DB. Just the check status.

    2. Anonymous Coward
      Anonymous Coward

      Re: Dates of birth?

      You don't need to give your correct DoB.

      1. Dan 55 Silver badge

        Re: Dates of birth?

        That depends on if it's used for a credit check or not.

      2. Danny 2

        Re: Dates of birth?

        The British monarch has had two birthdays for centuries, an 'official' one and an actual one. Plus they keep changing their family name and moving between multiple residences. That's how they are rich, keeping evading their debts.

        1. Danny 2

          Re: Dates of birth?

          What! I got downvoted for that?

          True story. Queen Victoria left a huge outstanding debt for laudanum with her Scottish druggist (not chemist, not pharmacist, yes opium) when she died. The drug dealer didn't complain because he'd been awarded a Royal warrant that enabled him to sell far more opium to the masses. We're still suffering from that here.

          I kind of feel sorry for her because her huge knickers keep coming up for auction. When I die I want all my pants burned.

        2. Anonymous Coward
          Anonymous Coward

          Re: Dates of birth?

          > The British monarch has had two birthdays for centuries

          Many of us do. I have a Hebrew and a Gregorian birthday (though I don't celebrate either).

    3. Mike 137 Silver badge

      Re: Dates of birth?

      They argue that it allows them to offer special services to pensioners (!!)

      The real reason is that some moron decided that it can be used as a security question because of course it's private data that fraudsters will not know. They often use your postcode for the same reason.

  3. Ken Moorhouse Silver badge

    but they had all been warned directly by phone.

    By phone??!!

    And who believes any unsolicited phone callers these days? Remember the TalkTalk hack?

    1. sabroni Silver badge

      Re: And who believes any unsolicited phone callers these days?

      So what would you suggest? That they drive over and knock on the door?

      You don't have to trust someone who calls, but you can take action to contact your supplier after the call to verify their identity.

      If it was my job to make sure my customers knew they'd been compromised I'd want to talk to them.

      1. Efer Brick

        Re: And who believes any unsolicited phone callers these days?

        Yes! Shave their respective heads and grovel on the floor for forgiveness, at every customers front door.

      2. Mike 137 Silver badge

        Re: And who believes any unsolicited phone callers these days?

        "You don't have to trust someone who calls, but you can take action to contact your supplier after the call to verify their identity."

        Actually it would be preferable if authentication went both ways as a matter of course. When I phone my bank I have to identify and authenticate myself. When they phone me I'm supposed to blindly trust that they're who they say they are. It shouldn't be too hard for the originator of the call to authenticate to the recipient, whichever way the transaction takes place. They just can't be arsed to implement that, on the assumption that if you're bothered, you'll do the leg work to find out if the call was genuine or suffer the consequences if it wasn't. Your loss, not theirs.

      3. Robert Grant

        Re: And who believes any unsolicited phone callers these days?

        I'd suggest making sure you have an app you can push official comms through

    2. not.known@this.address

      Re: but they had all been warned directly by phone.

      "We've been hacked - be cautious of all communications claiming to be us." The article didn't say they called the customers and asked for more details, or anything. Why assume it was anything other than a heads-up that someone might try to take advantage?

      Not everybody follows the banks' model of "We called you at home - now prove who you are..." (I have often wondered how much fun I could have by saying 'Hold on, I've just broken in but it's okay, the homeowner has left their driving licence on the table...' and seeing what happens next).

    3. macjules
      Flame

      Re: but they had all been warned directly by phone.

      I did get the call from "people's energy customer services" to inform me that "no personal data was released apart from possibly your email address and some other details". So far this morning I have had an 0203 number call claiming to be HMRC. Held on to see what they knew about me and they do have my home address, DoB, number of dependents and my bank name (but not account or sort code). I do not usually give out my DoB so about the only company that has had that recently was PE.

      1. Steve Davies 3 Silver badge
        Alien

        Re: Scammers ramping up their efforts

        for the holidays

        I've had seven calls today. Four from Amazon about my Amazon Prime renewing. One from HMRC threatenening me with court action if I didn't press '1', one from BT (not on BT) saying that because I've been viewing Porn, my service was being disconnected. and finally, one from People's Energy asking me to confirm my details. As I'm an Octopus customer, I knew it to be a scam (it apparently came from an 023 number)

        The BT call apparently came from Germany. They failed there.

        These people are really organised if they are on top of the People's Energy Scam.

        I fully expect to be entertained my dozens of calls on the 25th. Family Crimble is canned this year but hopefully, we can all get on Zoom for the carving of the Turkey.

        Watch out people.

        1. General Purpose

          Re: Scammers ramping up their efforts

          So, as you're an Octopus customer, they didn't get your number from the People's Energy breach. Curious. Are they random-dialling in the hope of finding some of the only 250,000 People's Energy customers across the UK and then conning them?

          1. Steve Davies 3 Silver badge

            Re: Scammers ramping up their efforts

            My landline was once in the BT phone book so I guess that is where they got it from.

            I say once... I went ex-directory over 10 years ago.

            Or perhaps they got it from someone who had it in their contacts list?

            However, and tbh... I think that they are random dialling. Dial 50 numbers and play them the recorded announcement and hope that someone falls for it and presses whatever number it is that they want you to and they have you.

            The numbers of calls relating to 'your computer is running slow' or 'we have detected suspicious activity on your computer' are going down and are actually pretty rare these days (probably speaking too soon).

            I expect they'll be back after christmas because of all those new laptops etc that will be given as presents.

  4. sitta_europea Silver badge

    When someone asks me for my birth date now I always lie.

    1. Anonymous Coward
      Anonymous Coward

      So you've reached that age too, eh?

    2. Anonymous Coward
      Anonymous Coward

      I always (except in person, for reasons of plausibility) use 1970-01-01. It's easy to remember and acts as a basic check of the quality of their IT systems.

      1. General Purpose

        So if someone gets that date from one breach, they can use it to attack your other accounts?

      2. John Brown (no body) Silver badge

        There are probably plenty of people with that birthdate. How is it a check of the quality of their IT systems?

        1. Ken Moorhouse Silver badge

          Re: How is it a check of the quality of their IT systems?

          29 Feb 2020 might arguably be a better benchmark. but if someone does use that date as their dob, or that is their dob, they may find it difficult to authenticate themselves with systems that have leap-year bugs.

          https://codeofmatt.com/list-of-2020-leap-day-bugs/

  5. Anonymous Coward
    Anonymous Coward

    15

    I like the fact that they gave an exact number rather than the exceedingly annoying and clichéd "a small number of our customers".

  6. Anonymous Coward
    Anonymous Coward

    Thought exercise

    How would you have designed their systems so that the data¹ can be stored in a way so as to make access more difficult should an attacker be able to breach the database?

    I do not know, still thinking. But I guess that my answer would involve separate systems for different types of data, or at a minimum per-column access restrictions, and encryption tied to the IT systems operator authentication credentials. Billing details would not be in my system at all but with a third party specialised in financial systems (in theory they *should* be better at protecting that data).

    I don't have experience with this though and would have to research current theory and best practices.

    ¹ Most of which is needed for providing the service requested and getting paid.

    1. Pier Reviewer

      Re: Thought exercise

      The main problem you have with this kind of thing is that if you can compromise the app you can access an data/systems the app can access. If the app needs to show you your details, it needs access to them.

      One option is to encrypt at rest, but then you have the key management problem - the app needs access to the key, so an attacker that compromises the app can get the key.

      You can (partially) solve this using a HSM - the encryption key is itself encrypted using a HSM. When the app needs the key it passes the encrypted key to the HSM and asks it to decrypt it. There are still issues with this (performance vs security, eg do you use a single key, one per user etc). However it means at the very least the attacker either needs to extract the key as well as the DB, or individually exfil every record. If you have a blue team the idea is they spot this behaviour before too much damage is done. If you don’t, the you(r customers) are boned either way.

      Neither HSMs nor blue teams are particularly cheap. Guess what businesses value most when asked to choose between definitely spending a wad of cash to protect someone else’s data, or pocketing larger dividends with a risk they *might* get popped?...

  7. Flywheel
    WTF?

    "some personal details were accessed"

    "This data included member names, home addresses, email addresses, telephone numbers, dates of birth, People’s Energy account numbers, tariff details, and meter identification numbers"

    Feck! "Some"? Is there much left to access?

  8. A random security guy

    Most of the data, especially private information should have been stored at all

    DOB and such should not be stored. Salt+Hashing really doesn't work because there are just a limited number of birthdays so one can brute-force their way faster than one can type this sentence.

    Maybe super-secure credit ratings companies (sarcasm) can store it and a credit check can be done against them?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like