In the autumn of 2023, Reykjavík Energy notified the Icelandic Data Protection Authority (DPA) about a security breach in its web system, resulting in unauthorised access to the energy bills of about 5,000 Veitur Utilities customers. Most of the incidents occurred over three days in March 2021, during which the same individual systematically accessed other customers' bills.
RE's response also included immediately shutting down the service and alerting the service provider of the web solution, Origo, given the seriousness with which the matter was regarded.
The case was also reported to the police. Early in 2024, RE received information that the case had been referred to the police's prosecution department.
Furthermore, a mistake was made in sending a statement to a customer that included sensitive personal information about other customers' transactions in the dispatch. Upon realising the mistake, contact was made with the recipient to prevent further distribution. The DPA was also notified, and the case is currently being processed there. Procedures were changed subsequently.
Since the new data protection laws came into effect in 2018, no ruling in a data protection case has been unfavourable to the companies within the RE group, although a complaint from 2020 is still being processed by the DPA.
In 2021, Veitur Utilities sought the opinion of the DPA following a request from Statistics Iceland for customer data for use in the National Census. The data was handed over following the DPA's conclusion.
Due to the ongoing roll-out of smart metering by Veitur Utilities, representatives of the company held a presentation on their plans in 2022 for the staff at the DPA.