EnergyAustralia customers data exposed after Optus, Medibank cyberattacks by hackers

[ad_1]

EnergyAustralia becomes latest victim in spate of cyberattacks as it reveals data from hundreds of customers has been exposed

  • EnergyAustralia said data of 323 residential and small businesses was exposed
  • Chinese-owned power giant said the breach occurred via its My Account portal
  • Customer accounts include phone numbers and last three digits of credit cards 
  • The breach is the latest in a string of cyberattacks targeting Aussie businesses

By Peter Vincent For Daily Mail Australia

Published: | Updated:

One of Australia’s largest power companies has become the latest victim in a series of cyberattacks as the private details of hundreds of customers are exposed. 

Chinese-owned EnergyAustralia disclosed on Friday night the personal data belonging to 323 small business and residential accounts had been hacked.

The breach occurred via its My Account portal, the energy company said in statements on its website and social media accounts.

Accounts include information like name, address, email address, utility bills, phone number, and the first six and last three digits of credit cards.

The cyberattack comes after after the personal data of 11 million Optus and 1 million Medibank customers was hacked in the last two months. 

EnergyAustralia customers data exposed after Optus, Medibank cyberattacks by hackers

Chinese-owned EnergyAustralia disclosed in statements on Friday night that the data of 323 small business and residential customers had been exposed in a breach

The breach occurred via its My Account portal, EnergyAustralia revealed in statements on its website and social media accounts on Friday (stock image)

The breach occurred via its My Account portal, EnergyAustralia revealed in statements on its website and social media accounts on Friday (stock image)

See also  Toni Garrn turns heads in a figure-hugging blue dress at Paris Fashion Week

The energy giant, which has 1.7 million electricity and gas customers mainly across the eastern states, disclosed the breach in a Facebook post on Friday. 

‘Unfortunately, our My Account portal was targeted in a cyber incident in September-October 2022, resulting in the exposure of data for 323 residential and small business customers,’ the post read. 

EnergyAustralia tried to reassure its customers the hack had been minimal and that those impacted had all been contacted. 

‘There’s no evidence that the 323 customers’ information was transferred outside of our systems during the incident,’ it said.

‘No other EnergyAustralia systems were affected.’

The accounts were hacked on September 30 and the affected customers were contacted by October 2. 

The energy giant admitted the breach in a Facebook post titled 'Keeping your information safe'

The company, which has 1.7 million electricity and gas customers mainly across the eastern states, tried to reassure its customers the impact was minimal

The energy giant, which has 1.7 million electricity and gas customers mainly across the eastern states, admitted the breach in a Facebook post titled ‘Keeping your information safe’

EnergyAustralia said identification documentation like driving licenses and banking details were not stored in My Account portals (stock image)

EnergyAustralia said identification documentation like driving licenses and banking details were not stored in My Account portals (stock image)

EnergyAustralia will now require customers to create 12-character passwords that include a mix of capital and lower case letters, numbers and special characters. 

The energy company said identification documentation like driving licenses and banking details were not stored in My Account portals.  

The power giant warned customers not to be fooled by ‘phishing’ scams and fake emails which try to get them to click on genuine-looking but fraudulent links.

EnergyAustralia hacked – account warning

The data of 323 EnergyAustralia customers was exposed in a new hack of its MyAccount portal.

The company warned customers over the security of their online passwords.

It suggested customers:

  • Create a password with a minimum of 12 characters, with a mix of upper- and lower-case letters, special characters and numbers
  • Don’t use a password that you’ve used before or for other accounts
  • Don’t share your password with anyone
See also  Magnitude 6.1 earthquake strikes Macquarie Island off the coast of Tasmania 

Source: EnergyAustralia

‘At first glance, fake EnergyAustralia emails might look convincing. They feature our company name, brand logo and colours, and even our ‘View bill’ icon which will be familiar to our customers who receive eBills.’ 

A ‘phish’ is a disguised email that tries to lure you to enter your password into a fake website or download malicious software. 

The company’s chief customer officer Mark Brownfield apologised for the impact on customers.

‘While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information,’ he said.

EnergyAustralia is owned by the China Light and Power Company after it was sold by the Australian government for $1.4 billion in 2011.

Last month technology futurist and keynote speaker Shara Evans warned Australia was an easy target for international hackers.

The tech analyst said a particular weakness was Australian’s habit of sending sensitive data in unencrypted email.

She referred specifically to healthcare and insurance providers as companies that have sub-standard practices in terms of requesting sensitive customer information.

UNSW Institute for Cyber-Security Director Nigel Phair agreed that Australia is vulnerable online and said the threat was only growing.  

‘We’ve got to do a lot better in Australia when it comes to cyber-crime,’ he said. 

Tech analyst’s top 10 tips to stay safe online

Shara Evans is a technology futurist and expert in online safety. Here are her tips to stay safe from hackers

1. Get basic IT security on devices including anti-virus programs, malware checkers, ransomware checkers, VPN, firewalls.

2. Use different passwords for every website and app. Make them long and complex – upper plus lower case letters, numbers, special characters. Save your passwords in an encrypted password vault.

3. Use two-factor authentication whenever possible (ie: logging into a secure bank portal requires you to provide an authentication code that’s sent to you via text or email or requires a SecureID token number) 

See also  Kate Hudson, 43, stuns in low-cut gown with son Ryder Robinson, 18, at United Nations gala

4. Use multiple email addresses. If you own a domain, it’s easy to set up an email alias (‘forwarder’) that names a specific site or type of activity. If compromised you can then disable an email alias address without impacting everything that you do. And, it will help you to identify the source of the leak.

5. Check your credit reports for signs of fraudulent activity – or wrong info.

6. Sign up for a credit/ID protection plan and put in place credit report bans if you have reason to suspect that your ID is compromised.

7. NEVER click on text or email hyperlinks that you don’t absolutely know are legit. Lots of people get in trouble this way. You can check a compressed link by copying it and entering it into the SEARCH BAR to see what shows up. If it’s malware, you may see a notice. At the very least, check if the source domain seems suspicious, in which case don’t click it!

8. When uploading any sensitive info to a website portal check for the lock icon (https) – this means that your data is encrypted ‘in transit’ when its uploaded to the website. Company cyber security practices vary widely.

9. If someone phones you saying they’re from Company X – NEVER give out any info to them, unless you know them and are already expecting a call from a specific phone number or person. 

10. NEVER publish your birthdate online! If you have it on social media DELETE it now. Unless you are doing an official financial transaction, there are very few good reasons for any party to know your real birthdate, much less store it.

Advertisement

[ad_2]

Source link

RELATED ARTICLESMORE FROM AUTHOR