Powergen in security scandal - thousands of debit card details open to abuse

UK utility, Powergen, has admitted to a massive security breach that left the debit card details of thousands of customers open to a potential multimillion pound fraud.

The security hole was discovered by a Powergen customer and silicon.com viewer, John Chamberlain, when he went to the company's site to pay his bill online. Chamberlain - an IT manager - said he was surprised to discover three files on the web server, containing the names, addresses and card details of more than 7,000 home and business users, including his own.

"I was well shocked when I found my own details there," said Chamberlain, who ran into the problem on 7 July. "I immediately contacted Powergen. They were embarrassed about it, and dealt with it quickly."

Chamberlain also contacted the Visa fraud office to ensure that his card details were not compromised. When Powergen told him that the company was not planning to contact the other customers on the list, he complained to the Data Protection Commissioner. The Office of the Commissioner confirmed that it has received Chamberlain's complaint.

silicon.com has seen a file containing just over 2,500 of the customers' details, and has contacted some of those named in the file. silicon.com confirmed that they are Powergen customers, and read out to each their card number, expiry date, address, phone number, email address and the amount and date of their last payment to Powergen. All were surprised that the breach had occurred and angry that Powergen had not made any attempt to contact them.

"I'm calling Powergen to make a formal complaint," said one irate customer.

Powergen admitted it received a call from Chamberlain about the security problem, but said its investigation found the site to be secure. Mike Pollack, spokesman for Powergen, said on 10 July: "We have no evidence to substantiate his claim."

However, when silicon.com today informed Powergen that we had seen the card details in the file, the company changed its story. Powergen is now accusing Chamberlain of hacking into the site, and has threatened both him and silicon.com with legal action.

"My understanding is that the information was not obtained fairly," said a Powergen spokeswoman. "We are referring the matter to the police."

Chamberlain denied the hacking charge. "I removed part of the URL and the details were sitting there on an unsecured directory file," he said, claiming he obtained the information without encountering any barriers or requests for passwords.

The news that one of the UK's largest utilities has fallen victim to such a major security breach will further shake consumer confidence in electronic commerce.

Concerned customers can phone Powergen on 0800 363 363.