Npower is “urgently investigating” how the personal details of around 5,000 customers were shared with others by post.
The letters included names, addresses and payment amounts – but did not include bank details.
The energy giant has apologised to affected customers and said it had informed the Information Commissioner’s Office (ICO) of the data breach.
We apologise for this error, especially to the customers whose information was incorrectly shared - around 5,000 in total.
The letters were a mailing for the company’s Feed-In Tariffs scheme for those with solar panels.
Retired GP Dr Tom Harris, from Somerset, told the BBC he received one of the letters over the weekend.
He said: “When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others.
He said when he contacted Npower “they didn’t seem unduly surprised” and that the company “was aware of other people in the same situation”.
An Npower spokeswoman said: “We’re urgently investigating how this occurred with our fulfilment partner, who sent the mailing on our behalf.
“We apologise for this error, especially to the customers whose information was incorrectly shared – around 5,000 in total.”
An ICO spokeswoman said: “Npower has made us aware of an incident and we are making enquiries.”