Thousands of British Gas customers have been informed that their email addresses and passwords have been revealed online, though the company has denied that its systems have been breached.
Accounts that have been compromised arecurrently disabled, reportsBBC News, and the company has assured customers that no bank account details have been accessed. The login details could, however, be used to find out details such as names and addresses.
The email sent to customers who have been affected reads: "I can assure you there have been no breach of oursecure data storage systems, so non of your payment data, such as bank account or credit card details, have been at risk. As you'd expect, we encrypt and store this information securely.
"From our investigations, we are confident that the information which appeared online did not come from British Gas."
The email addresses and passwords appeared on document-sharing site Pastebin, but have since been removed. It has beentheorisedthat the details were not obtained via a hack on British Gas, but from another source which was then cross-referenced with users who used the same login details across multiple accounts.
Jason Hart, CTO data protection at Gemalto, said: "Today, people often opt for easy-to-guess passwords, write them down, orjeopardisethe security of multiple accounts by using the same password for online banking, email and social media. As people havemultipleidentities across their business and personal lives, if one account is breached, the likelihood is that all personas are at risk as well.
"Breaches are not a matter of "if" but "when". Companies should also move to a 'secure breach' approach that assumesbreachesare inevitable and place security directly on the data itself by using encryption. This effectively kills the data and renders it useless should it fall into the wrong hands."
The news follows ahack on TalkTalkwhich occurredlast week, which involved a "sustained" cyber attack resulting in the exposure of customer details such as names, addresses, dates of birth, email addresses, phone numbers and other account-related details.
"As we saw with the TalkTalk breach, the failure to encrypt data has potentially exposed thepersonal and financial data of thousands if not millions of customers," Hart added.
