Energy giant Npower is “urgently investigating” how the personal details of some 5,000 customers were shared in a postal mailing.
The letters included people’s names, addresses, and payment amounts.
A Npower spokesman said no bank details were released and it had informed the Information Commissioner’s Office (ICO) of the data breach.
The company has apologised to all the customers whose information was incorrectly shared.
The envelopes contained the quarterly statement for people who have solar panels on their roof and detailed of the amount of money they would receive as part of the feed-in tariff scheme.
Retired GP Dr Tom Harris from Somerset said he received the letter over the weekend.
‘Not unduly surprised’
“When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others,” he said.
“They should have gone to people living in Gloucestershire, Sheffield, Oxford and Bedford.”
He said when he contacted Npower “they didn’t seem unduly surprised” and that the company “was aware of other people in the same situation”.
The 77-year-old says he is now concerned his details may have been divulged and is yet to hear back from Npower.
“It’s of considerable concern this is another gateway to identity fraud,” he added.
An ICO spokesperson said: “Under new laws, organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.”
NPower could potentially face fines from the ICO, which has been informed of the breach.
Under the EU’s General Data Protection Regulation, fines can be up to 4% of a company’s global annual revenue.