Eskenzi PR Eskenzi PR
  • About Us
Thursday, 22 April, 2021
IT Security Guru
Eskenzi PR
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Npower shuts down app after hackers steal customer bank info  

Major UK energy supplier, Npower, has had to scrap its app after cybercriminals stole sensitive customer information, including financial data.

by Sabina
February 26, 2021
in News
Share on FacebookShare on Twitter

Major UK energy supplier, Npower, has had to scrap its app after cybercriminals stole sensitive customer information, including financial data. Having first been reported by MoneySavingExpert.com, Npower has stated customer information was exploited after login details were taken from other websites.

This common cyberattack tactic – known as credential stuffing – allowed the hackers to gain access to customer accounts. Npower had confirmed that not all accounts were accessed and that the customers that were have since been contacted about the breach and had their accounts locked.

It is still unclear how the breach occurred, but the hackers were able to view personal information, partial financial information, and contact preferences. The Information Commissioners Office (ICO) has been notified in accordance with GDPR and an investigation is underway.

The Npower app will remain shut down (which was planned to happen after the acquisition by Eon) with the company ensuring that a similar attack will be avoided. It has also informed that all customers must continue to use the website services as normal.

Further advice provided by Npower requires all users to change their passwords on all other accounts and to ensure that the same password is not being used on the same accounts. Users should also be on alert for any potentially fraudulent or suspicious activity with their bank accounts.

If you think you’ve been a victim of fraud, report it to Action Fraud online at actionfraud.police.uk or by calling 0300 123 2040.

Providing further insight and advice are the following cybersecurity experts:

James McQuiggan, security awareness advocate at KnowBe4:

“We all know it’s easier to remember one style of password or one password for all of our accounts. However, cybercriminals are fully aware of this and use passwords stolen from other data breaches to access various user accounts. While phishing and other attack vectors involve more analysis and security measures, credential stuffing is something that we as individuals can fix ourselves.

There are free monitoring services available, like HaveIBeenPwned.com, where you can find out if your email is known to be involved in a previous data breach. Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach. The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack.

Finally, using multi-factor authentication or MFA, wherever provided by the organization, can add that extra layer of protection to an account. If the password is compromised, it is significantly more difficult for cybercriminals to gain access and expose a user’s data. Organizations want to implement a robust security culture to inform users of the importance of unique passwords to reduce the risk of compromised accounts and the potential loss of stolen Personally Identifiable Information.”

Martin Jartelius, CSO at Outpost24:

“It’s unfortunate this breach has occurred but in terms of security for customers, individuals should always be attentive to their card transactions because fraudulent activity is likely after a significant breach like this.

Furthermore, most people today will have hundreds of online accounts and trying to create a unique, but memorable, password for them all is challenging. Password managers are helpful but two-factor authentication should ideally be something most sites offer today. Additionally, increase your password strength with longer characters (they are harder to crack with 10 plus characters) and use a combination of capitals, numbers, and special characters that don’t spell common words.

While the details are still unclear of how this breach happened, based on our experience, we advise all organisations to test their cybersecurity regularly.  It’s a proactive approach that uncovers misconfigurations, bad assumptions, and incompatibilities in both IT and security technology that might expose an entry point for attack.  Many successful attacks are made through known, exploitable vulnerabilities that go unpatched while the security staff is chasing the vector of the most recent publicly-reported breach.”

Lewis Jones, Threat Intelligence Analyst, Talion 

“This breach is a further example of attackers targeting the energy sector which continues to be attractive target for attackers with a financial, geopolitical and hacktivism motivations. In 2021 already there have been a number of attacks targeting this sector. Those affected should follow the advice provided by Npower in terms of changing passwords etc but users should also review if this password is used on another site. This further demonstrates why good password hygiene is vitally important – Users should always remember – Use strong passwords that are complex and combine uppercase letters, lowercase letters, numbers, and symbols. The best passwords are long (more than 16 characters) and completely random. Never reuse passwords.” 

Burak Agca, security engineer at Lookout: 

Users should always use unique passwords for every service to thwart credential stuffing attacks and use a password manager to keep track of the large number of necessary passwords. It is also advised to use two-factor authentication whenever possible.

For enterprises its necessary to make two-factor authentication available to all users if this is not done already. Organisations should also limit the amount of personal data available through their public-facing APIs to a minimum – e.g. banking information or date of birth could be made write-only so that the user can enter or even update it but it cannot (or only in a redacted form) be displayed or queried in an app or on their web site. Furthermore, closely monitor systems to detect login patterns that may indicate credential stuffing.

0 0 vote
Article Rating
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Edgescan partners with BSI to deliver safe and secure client solutions

Next Post

Chinese Hackers blamed for Mumbai Blackout

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

edgescan logo

PRODUCT REVIEW – Edgescan makes fullstack vulnerability management easy

April 21, 2021
The clubhouse app

Armis and UK’s Eseye partner to secure connected devices on any cellular network

April 20, 2021
Performanta acquires Identity Experts to bolster Microsoft IAM and security capabilities

Performanta acquires Identity Experts to bolster Microsoft IAM and security capabilities

April 20, 2021
AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

April 19, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept