British Gas has said it is “confident” the data leak affecting more than 2,000 of its customers had not come from within the company.
The email address and passwords of 2,200 of its customers appeared online on Wednesday evening - the third technology glitch to affect a major UK company in a week.
The firm insisted its systems are secure, after sending out an email to more than 2,000 customers reassuring them the information had not come from the company. It said the leak was caused by “someone external”, and it added that no payment data had been compromised.
The email, from British Gas Customer Services, told customers: “I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk.
“As you’d expect, we encrypt and store this information securely.
“From our investigations, we are confident that the information which appeared online did not come from British Gas.”
Affected customers are being asked to make contact by phone or to securely reset their passwords via the company’s website.
Details will be sent to the Information Commissioner’s Office following the leak, it added.
The data was uploaded to Pastebin, a temporary text uploading website, and discovered by British Gas during routine online checks. The firm removed the data on Wednesday evening.
The company could not confidently pin down a cause for the leak but said it was “someone external”, and one possible explanation could be that customers had been victims of a targeted phishing attack.
A British Gas spokeswoman said the leaks affected only a “small proportion” of its 14 million customers.
She said the incident was “very different” to the cyber attacks suffered recently by phone and broadband provider TalkTalk and Marks & Spencer, when customer details were visible online.
All customer accounts are now secure. she added.
On Tuesday evening, Marks & Spencer had to suspend its website for two hours after customers were able to see other people’s details when they logged into their accounts.
The company said no-one’s details were compromised by the “internal technical problem”.
Last week TalkTalk was targeted in a cyber attack in which it said bank account numbers and sort codes, like those printed on a cheque, may have been accessed. A joint operation between the Met’s cyber crime unit, the PSNI’s cyber crime centre and the National Crime Agency is continuing to probe the incident.
It is not known how many of the telecoms giant’s four million UK customers may have been affected by the attack.