Image: Nottingham City Council.

Personal information of thousands of feed-in tariff recipients has been incorrectly shared by npower, sparking an investigation by the Information Commissioner’s Office into the supplier and an unnamed ‘fulfilment partner’.

The supplier is “urgently investigating” how the names, addresses, payment amounts and FiT reference numbers of around 5,000 of its customers were received through the post by the wrong people.

It added that an internal investigation would be conducted with a fulfilment partner which had sent the postal mailing on the supplier’s behalf.

“We apologise for this error – especially to the customers whose information was incorrectly shared,” the company said in a statement.

While no bank details were included in the data breach, npower is understood to have assessed that the incident required a notification to the Information Commissioner’s Office (ICO).

New regulation requires that this be done within a 72 hour window of first becoming aware of a personal data breach, but the ICO would not confirm nor deny that the supplier met this requirement.

The information protection authority will now conduct its own investigation before deciding a course of action, which could include hefty fines for npower under the recently introduced General Data Protection Regulation (GDPR).

Under the European Union law, fines of up to €20 million (~£17.8 million) or 4% of annual global turnover if higher could be applied.

In 2017, npower reported revenue of just over £6 billion, meaning a potential fine of around £241 million could be levied under GDPR if the supplier is found responsible.