Ethical power supplier People's Energy hacked, 250,000 customers' personal info accessed Renewable electricity and gas supplier People’s Energy has told its 250,000-plus customers that a “gap” in the security of its IT system was exploited by digital burglars. The British company’s co-founders Karin Sode and David Pike wrote to customers on Thursday morning to confirm that “yesterday People’s Energy was affected …
"vowed to return 75 per cent of its profits to customers... It has not yet been able to do this."
Sounds like a similar model to my insurance company/banker which also pays rebates to its associates.
Might be a little tougher to pull off in the roller coaster energy sector, but if they are indeed debt free and growing, maybe it will happen.
Might be a little tougher to pull off in the roller coaster energy sector, but if they are indeed debt free and growing, maybe it will happen.
Yup, they'll maybe learn some more tricks from the old energy trading ways of Enron. But the vow assumes they'll ever make a profit, which many alt-electron providers don't, and go the way of Enron. See Nottingham's Robin Hood Energy for more info. But the energy sector is awash with greenwash, so-
Founded in August 2017, People’s Energy buys wholesale leccy from renewable sources, and biomethane from food and farm waste, that it then resells onto consumers.
Which is a common claim. Reality is a bit different-
https://www.ofgem.gov.uk/environmental-programmes/rego/about-rego-scheme
We issue one REGO certificate per megawatt hour (MWh) of eligible renewable output to generators of renewable electricity.
The purpose of the certificate is to prove to the final customer that a given share of energy was produced from renewable sources. As such, the primary use of REGOs in Great Britain and Northern Ireland is for Fuel Mix Disclosure. FMD requires licensed electricity suppliers to disclose to potential and existing customers the mix of fuels (coal, gas, nuclear, renewable and other) used to generate the electricity supplied.
So People use 1GWh of electricty. People buys 1000 REGOs. Claim your electrons are 100% Green! Bask in your virtuousness!
Sadly the reality is somewhat different, at least until these greenwash schemes are actualy coupled to generation by type. So for example-
https://gridwatch.co.uk/Wind
Wind, last month: minimum: 0.356 GW maximum: 12.687 GW average: 6.896 GW
When wind was low, People's customers would have been using 'dirty' nuclear, coal & gas, not 'renewables', because as far as the hardware & network goes, electrons is electrons, and REGOs allow virtue signallers to provide the illusion of Green.
What! I got downvoted for that?
True story. Queen Victoria left a huge outstanding debt for laudanum with her Scottish druggist (not chemist, not pharmacist, yes opium) when she died. The drug dealer didn't complain because he'd been awarded a Royal warrant that enabled him to sell far more opium to the masses. We're still suffering from that here.
I kind of feel sorry for her because her huge knickers keep coming up for auction. When I die I want all my pants burned.
They argue that it allows them to offer special services to pensioners (!!)
The real reason is that some moron decided that it can be used as a security question because of course it's private data that fraudsters will not know. They often use your postcode for the same reason.
So what would you suggest? That they drive over and knock on the door?
You don't have to trust someone who calls, but you can take action to contact your supplier after the call to verify their identity.
If it was my job to make sure my customers knew they'd been compromised I'd want to talk to them.
"You don't have to trust someone who calls, but you can take action to contact your supplier after the call to verify their identity."
Actually it would be preferable if authentication went both ways as a matter of course. When I phone my bank I have to identify and authenticate myself. When they phone me I'm supposed to blindly trust that they're who they say they are. It shouldn't be too hard for the originator of the call to authenticate to the recipient, whichever way the transaction takes place. They just can't be arsed to implement that, on the assumption that if you're bothered, you'll do the leg work to find out if the call was genuine or suffer the consequences if it wasn't. Your loss, not theirs.
"We've been hacked - be cautious of all communications claiming to be us." The article didn't say they called the customers and asked for more details, or anything. Why assume it was anything other than a heads-up that someone might try to take advantage?
Not everybody follows the banks' model of "We called you at home - now prove who you are..." (I have often wondered how much fun I could have by saying 'Hold on, I've just broken in but it's okay, the homeowner has left their driving licence on the table...' and seeing what happens next).
I did get the call from "people's energy customer services" to inform me that "no personal data was released apart from possibly your email address and some other details". So far this morning I have had an 0203 number call claiming to be HMRC. Held on to see what they knew about me and they do have my home address, DoB, number of dependents and my bank name (but not account or sort code). I do not usually give out my DoB so about the only company that has had that recently was PE.
for the holidays
I've had seven calls today. Four from Amazon about my Amazon Prime renewing. One from HMRC threatenening me with court action if I didn't press '1', one from BT (not on BT) saying that because I've been viewing Porn, my service was being disconnected. and finally, one from People's Energy asking me to confirm my details. As I'm an Octopus customer, I knew it to be a scam (it apparently came from an 023 number)
The BT call apparently came from Germany. They failed there.
These people are really organised if they are on top of the People's Energy Scam.
I fully expect to be entertained my dozens of calls on the 25th. Family Crimble is canned this year but hopefully, we can all get on Zoom for the carving of the Turkey.
Watch out people.
My landline was once in the BT phone book so I guess that is where they got it from.
I say once... I went ex-directory over 10 years ago.
Or perhaps they got it from someone who had it in their contacts list?
However, and tbh... I think that they are random dialling. Dial 50 numbers and play them the recorded announcement and hope that someone falls for it and presses whatever number it is that they want you to and they have you.
The numbers of calls relating to 'your computer is running slow' or 'we have detected suspicious activity on your computer' are going down and are actually pretty rare these days (probably speaking too soon).
I expect they'll be back after christmas because of all those new laptops etc that will be given as presents.
29 Feb 2020 might arguably be a better benchmark. but if someone does use that date as their dob, or that is their dob, they may find it difficult to authenticate themselves with systems that have leap-year bugs.
https://codeofmatt.com/list-of-2020-leap-day-bugs/
How would you have designed their systems so that the data¹ can be stored in a way so as to make access more difficult should an attacker be able to breach the database?
I do not know, still thinking. But I guess that my answer would involve separate systems for different types of data, or at a minimum per-column access restrictions, and encryption tied to the IT systems operator authentication credentials. Billing details would not be in my system at all but with a third party specialised in financial systems (in theory they *should* be better at protecting that data).
I don't have experience with this though and would have to research current theory and best practices.
¹ Most of which is needed for providing the service requested and getting paid.
The main problem you have with this kind of thing is that if you can compromise the app you can access an data/systems the app can access. If the app needs to show you your details, it needs access to them.
One option is to encrypt at rest, but then you have the key management problem - the app needs access to the key, so an attacker that compromises the app can get the key.
You can (partially) solve this using a HSM - the encryption key is itself encrypted using a HSM. When the app needs the key it passes the encrypted key to the HSM and asks it to decrypt it. There are still issues with this (performance vs security, eg do you use a single key, one per user etc). However it means at the very least the attacker either needs to extract the key as well as the DB, or individually exfil every record. If you have a blue team the idea is they spot this behaviour before too much damage is done. If you don’t, the you(r customers) are boned either way.
Neither HSMs nor blue teams are particularly cheap. Guess what businesses value most when asked to choose between definitely spending a wad of cash to protect someone else’s data, or pocketing larger dividends with a risk they *might* get popped?...
DOB and such should not be stored. Salt+Hashing really doesn't work because there are just a limited number of birthdays so one can brute-force their way faster than one can type this sentence.
Maybe super-secure credit ratings companies (sarcasm) can store it and a credit check can be done against them?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
