Are you paying someone else’s energy bill? When a handy shortcut goes wrong…

3rd March 2023

I have been paying someone else’s energy bill for the last 6 months, by mistake. Ovo Energy had a shortcut in their customer experience, that makes identifying a person fast and straightforward. After all, no one wants to spend longer on a call to their energy provider than they need to, right?

The bad news is – that shortcut was flawed and has meant that I have been underpaying for months – and therefore, now have to pay a top-up, and my credit rating may be damaged. So, if I’ve been paying someone else’s bill, who has been paying mine?

Let’s look at this flaw in more detail:

Ovo were locating an individual’s bill data using the customers birthdate and the digits in the customers postcode. So, what’s the problem? This process is error prone.

Example: A customer born in on the 1 April 1960, living at PO6 4TY, their access code would be 1960 04 01 followed by 64 (so that’s the digits of their date of birth, and the numbers only of their postcode).

11 people would also share this access code!

The calculations can be found at the bottom of this article. Given that Ovo Energy has approximately 4.5 million customers from a population of 60 million, you could expect on average that each Ovo Energy customer has a unique birthdate and postcode digits. But using the selection implemented by Ovo Energy, you cannot guarantee that this method correctly identifies every customer. Some combinations of birthdates and postcode digits will have no customers, others will have 2,3,4 or more customers.

The method of identifying customers implemented by Ovo Energy was a handy shortcut, but was flawed for the following reasons:

it did not guarantee to uniquely identify each of their separate customers
it did not allow for mis-keying of the numbers (no checks were done)
it would not reliably detect number transposition

Bad payment histories allow energy providers to send in the bailiffs into peoples’ homes.

The worrying aspect of this is that as an energy supplier, Ovo Energy has the right to send bailiffs in to people’s homes on the basis of this, and other software, created by the same team. How can they make a legal decision based on flawed technological processes?

My question to prosecutors and lawyers is when you prosecute, as professionals, are you required to check the reliability of the software used as a basis for your prosecution? This is yet another chink in the armour of personal data and security, along with so many others, for example, the humble QR code. Whilst a QR code is a handy shortcut, there is no inherent security in the QR code, and they now feature in lists of recognised data security risks, so think twice before using them!

If your project needs a secure way to uniquely identify your paperwork, objects or items then contact me to talk about Countermark – a robust secure way to uniquely identify or serialise.

UPDATE: After notifying Ovo Energy of this issue, within 2 weeks it looks like it has been fixed.

Link to Video reporting this issue: