Npower might boast of “super powers” in its advertising but these obviously do not stretch to its data governance after thousands of customers’ personal details have been compromised in a targeted direct mail campaign for its Feed-In Tariffs solar panel scheme.
The issue – which affects about 5,000 customers – has been blamed on the company’s fulfilment house as, while the covering letter was correctly addressed, other customers’ details were wrongly attached.
The compromised data includes names, addresses and payment amounts, but not bank details.
Retired GP Dr Tom Harris, from Somerset, told the BBC he received one of the letters over the weekend. He said: “When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others.”
When he contacted Npower Dr Harris claims that “they didn’t seem unduly surprised” and that the company “was aware of other people in the same situation”.
An Npower spokeswoman said: “We’re urgently investigating how this occurred with our fulfilment partner, who sent the mailing on our behalf. We apologise for this error, especially to the customers whose information was incorrectly shared – around 5,000 in total.”
The energy giant has apologised to affected customers and said it had informed the Information Commissioner’s Office of the data breach.
An ICO spokeswoman confirmed: “Npower has made us aware of an incident and we are making enquiries.”
In 2015, energy regulator Ofgem fined Npower a record £26m for a billing fiasco. The issue, which affected more than 500,000 customers between September 2013 and December 2014, led to some customers having hundreds of pounds withdrawn from their bank accounts each day.
A year later, it was forced to apologise for a database gaffe which led to a woman receiving a court summons demanding over £1,000 for unpaid electricity bills even though she was not even a customer of the energy giant.
Npower finally admitted that there had been a mistake, conceding that the letters should have been sent to someone completely different at a similar-sounding street address two miles away.
Npower grovels over new customer data cock-up
O2 blunder triggers mailshot to ‘Mr Isis Terroriste’
DVLA data governance car crash fuels mailing cock-up
PPI firm grovels over ‘Dear Mr Dick Head’ mailshot
Npower faces advertising ban in wake of £26m fine