Capital Economics and People's Energy Breaches Exposed Customer Data
Capital Economics and People's Energy both suffered data breaches in December 2020 that later surfaced in breach disclosures, exposing large volumes of customer information. Capital Economics, an economic research firm, had about 263,000 customer records compromised, including names, email addresses, physical addresses, phone numbers, job titles, and employer details.
People's Energy, a UK power company, had nearly 7GB of data exposed, affecting 359,000 unique email addresses along with names, phone numbers, physical addresses, and dates of birth. The breach also exposed staff email addresses and bcrypt password hashes, although available reporting said no customer passwords were included in the leaked data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
People's Energy breach exposes 359,000 email addresses and 7GB of data
In December 2020, UK power company People's Energy suffered a data breach that exposed nearly 7GB of data, including 359,000 unique email addresses. The compromised information included names, phone numbers, physical addresses, dates of birth, and staff email addresses with bcrypt password hashes; available information indicated no customer passwords were exposed.
Capital Economics data breach exposes about 263,000 customer records
In December 2020, economic research company Capital Economics experienced a data breach affecting approximately 263,000 customer records. Exposed data included names, email addresses, physical addresses, phone numbers, job titles, and customers' employers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Social Engineering Breaches Exposed Customer Data at Figure and Allianz Life
Figure and Allianz Life disclosed separate breaches in which attackers used **social engineering** to gain access to systems holding large volumes of customer data. Figure said an employee was deceived into granting access, leading to the public posting of a dataset from January 2026 that contained more than **900,000 unique email addresses** as well as names, phone numbers, physical addresses, and dates of birth. Allianz Life reported that a cyberattack in July 2025 targeted data stored on **Salesforce** and was later followed by the online leak of **1.1 million unique email addresses**. The exposed Allianz Life records also included names, genders, dates of birth, phone numbers, and physical addresses, underscoring how social engineering attacks continue to drive large-scale exposure of sensitive personal information across financial services firms.
Mar 27, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Hacking Forum Posts Expose Customer Data from digiDirect and MediaWorks
Customer and marketing data from Australian retailer **digiDirect** and New Zealand media company **MediaWorks** was exposed after separate datasets were posted to a popular hacking forum. The digiDirect breach, published in September 2024, contained more than **300,000** rows of personal information, including names, email addresses, physical addresses, phone numbers, and dates of birth. About half of the email addresses were tied to external marketplace domains such as **Amazon**, **eBay**, and **Westfield**, suggesting some affected records may have come from third-party marketplace activity. MediaWorks suffered a larger exposure after a dataset was publicly posted in March 2024 containing millions of rows and **163,000 unique email addresses** linked to people who entered online competitions. The leaked records included names, physical addresses, phone numbers, dates of birth, genders, and competition responses. Following the leak, some victims reportedly received ransom demands seeking payment in exchange for deletion of their stolen data, underscoring the downstream extortion risk created by publicly traded personal data.
Mar 27, 2026