Npower scraps app after financial details stolen in data hack - what you need to know
Big six energy firm Npower has closed down its app after hackers accessed customers' accounts, including partial bank details, MoneySavingExpert.com can reveal. If you used the app, you should make sure you're not using the same password on other accounts and be alert for suspicious bank account activity and phishing scams.
Npower says customer accounts were accessed using login data obtained from other websites - a common technique used by hackers, known as 'credential stuffing'. The firm won't say how many accounts were hacked, though it says not all accounts were affected and customers whose accounts were accessed have now been contacted. It says data that may have been viewed includes:
Personal information - eg, contact details, date of birth and address
Partial financial info - this includes sort codes and the last four digits of customers' bank account numbers - though crucially NOT full account numbers
Contact preferences - eg, if you prefer to be contacted by email, text or phone call
Npower won't say exactly when the hack took place, though MoneySavingExpert.com has seen an email from the firm on 2 February warning customers that their accounts have been locked following third party-access. The hack is also now being investigated by the Information Commissioner's Office (ICO). Npower says it has closed down its app in the wake of the attack and does not intend to relaunch it as it was due to close in the coming weeks anyway.
See our 30+ Ways to Stop Scams guide for more info on what to look out for, how to protect yourself, and what to do if you're a victim of a scam.
Told you were affected? Change passwords and be alert for suspicious activity
Npower says it's advised all customers whose accounts were accessed to change their passwords as a general precaution. However it's NOT specifically advised people to contact their bank unless they notice anything unusual on their account. Npower believes there's no risk of customers' bank accounts being accessed or used fraudulently with the limited information which was taken. Bear in mind though that any theft of personal data could leave you at increased risk of scams.
Action Fraud - the UK's national fraud reporting service - adds that Npower customers should also consider the following guidance:
Watch out for phishing emails. Criminals may use your personal details to target you with convincing emails, texts and calls. Be suspicious of unsolicited requests for your personal or financial details. If you receive an email which you’re not sure about, forward it to the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk.
Monitor your bank account. Be vigilant against any unusual activity on your accounts and report any unauthorised transactions to your bank immediately.
Secure your passwords. If you have been affected, as a form of best practice you may want to consider changing your passwords for important accounts, such as banking. See Cyber Aware's advice on creating a good password that you can remember, or read the National Cyber Security Centre's (NCSC’s) guidance for help on using a password manager. You can also read the NCSC’s info on how to protect yourself from the impact of data breaches.
If you think you've been a victim of fraud, report it. If you have been a victim of fraud or cyber crime as a result of a data breach, contact your bank immediately and report it to Action Fraud online or by calling 0300 123 2040.
Helen Knapman, assistant editor - news and investigations - at MoneySavingExpert.com said: "More and more we're seeing crooks turn online for the chance to get their hands on your hard-earned cash, whether directly or by stealing personal details which could help them carry out scams - and it appears this is what's happened in this Npower data breach.
"Anyone, regardless of whether their account has been compromised, should always use different passwords for all of their online accounts - if you struggle to remember them, you can store them in a password manager. If you're concerned your data may have been accessed, monitor your bank account and also keep an eye on your credit report to see if someone is making false applications for credit in your name."
Npower app users now need to use its website services
Npower deactivated its app after the hack. But while it says it's been able to secure the app from similar attacks in future, it has now decided to scrap it completely. The energy firm says it had planned to get rid of the app before the hack anyway as it believes its website fulfils customers' needs.
The company says the app allowed customers to make payments, view bills and enter meter readings, and to do this you'll now need to use the Npower website. To unlock your account you'll need to reset your password. You can do this by going to Npower.com, clicking on ‘Log in', and then ‘I've forgotten my login details’.
The information watchdog has been informed about the hack
An Npower spokesperson said: "We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app. We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority."
A spokesperson for the ICO said: “Npower has made us aware of an incident affecting its app and we are making enquiries.”