British Gas has 'fessed up that customer data posted to Pastebin was genuine, but believes payment details were not exposed.
The BBC says it's seen an e-mail sent to customers about the privacy breach, which the energy company says was not due to a breach of its own systems.
“I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk,” the e-mail says. "As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas.”
However, information that could have leaked would include customer name, contact details, and past bills. Wherever the breach occurred, the company told the Beeb only 2,200 customers were affected.
The BBC speculates that the customer data may have come from a phishing campaign, or by attackers testing whether people whose data had been exposed in other breaches had re-used their passwords.
Since four million accounts were compromised in the Talk Talk attack, that's not too far-fetched. ®