The last major data breach of 2020 occurred in the UK, affecting the data of some 270,000 customers of People’s Energy, a crowdfunded energy supplier based in Shawfair, Scotland, and whose energy is derived from 100 percent renewable sources.
The breach took place on December 17 and the company has announced that it quickly informed the energy sector regulator OFGEM, the Information Commissioners Office (ICO), and the UK’s National Cyber Security Centre.
Customers’ names, addresses, dates of birth, and meter IDs were exposed. Moreover, although initially it did not appear that financial data had been compromised, the cyberattackers managed to obtain bank details of 15 small business customers of the utility, and People’s Energy contacted them individually to inform them of the situation.
Cybersecurity analysts have warned that cyberattackers are likely to use the information obtained from this breach to launch phishing-type social engineering attacks targeting the company’s customers. This is because the data they have will allow them to generate far more convincing emails by spoofing official People’s Energy communications to ask for even more sensitive data, such as financial details. This is precisely why the consequences of data breaches go far beyond the direct implications, and can even damage brand reputation as firms lose the trust of current and potential customers.
As such, data protection authorities take these types of incidents extremely seriously and there have been several previous examples of multi-million dollar fines being imposed on organizations. The ICO, for example, fined British Airways 138 million pounds (later reduced to 20 million) in relation to a data breach. More recently, an incident involving EasyJet, which we discussed on this blog, affected the data of 9 million customers and, most seriously, leaked 2208 credit card details (card number and CVV). In light of this, the ICO could impose a fine totaling up to four percent of their total turnover, which in the case of EasyJet would be 255 million pounds.
Data protection and management_
Although EasyJet and British Airways both belong to the airline industry, experts agree that utilities are also a potential goldmine for adversaries seeking to access user information on large databases. That’s why in addition to being geared up to face cyberattacks that jeopardize the operational capacity of industrial installations (as Carlos Manchado, CISO of Naturgy, underlined), they must also prioritize the security of customer data.
In this context, therefore, data protection is fundamental for companies that store large quantities of end customer data -such as the electricity industry-, and organizations need to adopt an adequate proactive stance towards data protection such as implementing advanced protection technology.
The concept of data management should include classification and hierarchical ordering so that the most sensitive data is the least exposed. This means setting out different access privileges and roles within an organization, as well as a robust password policy.
Yet as hackers are using increasingly sophisticated attacks, and the human link in the security chain can be duped through social engineering or even cause insider attacks, organizations must also implement advanced solutions. The answer therefore is Cytomic Data Watch, as it discovers and protects personal and sensitive data, both in real time as well as throughout the data lifecycle, both on endpoints and on servers. It also ensures organizations are able to comply with the latest strict data protection laws such as the General Data Protection Regulation (GDPR) and other local legislation. But above all, this solution will help prevent incidents that could expose the most valuable asset of any company: its customers.