EnergyAustralia becomes latest victim in spate of cyberattacks as it reveals data from hundreds of customers has been exposed
- EnergyAustralia said data of 323 residential and small businesses was exposed
- Chinese-owned power giant said the breach occurred via its My Account portal
- Customer accounts include phone numbers and last three digits of credit cards
- The breach is the latest in a string of cyberattacks targeting Aussie businesses
One of Australia’s largest power companies has become the latest victim in a series of cyberattacks as the private details of hundreds of customers are exposed.
Chinese-owned EnergyAustralia disclosed on Friday night the personal data belonging to 323 small business and residential accounts had been hacked.
The breach occurred via its My Account portal, the energy company said in statements on its website and social media accounts.
Accounts include information like name, address, email address, utility bills, phone number, and the first six and last three digits of credit cards.
The cyberattack comes after after the personal data of 11 million Optus and 1 million Medibank customers was hacked in the last two months.
Chinese-owned EnergyAustralia disclosed in statements on Friday night that the data of 323 small business and residential customers had been exposed in a breach
The breach occurred via its My Account portal, EnergyAustralia revealed in statements on its website and social media accounts on Friday (stock image)
The energy giant, which has 1.7 million electricity and gas customers mainly across the eastern states, disclosed the breach in a Facebook post on Friday.
‘Unfortunately, our My Account portal was targeted in a cyber incident in September-October 2022, resulting in the exposure of data for 323 residential and small business customers,’ the post read.
EnergyAustralia tried to reassure its customers the hack had been minimal and that those impacted had all been contacted.
‘There’s no evidence that the 323 customers’ information was transferred outside of our systems during the incident,’ it said.
‘No other EnergyAustralia systems were affected.’
The accounts were hacked on September 30 and the affected customers were contacted by October 2.
The energy giant, which has 1.7 million electricity and gas customers mainly across the eastern states, admitted the breach in a Facebook post titled ‘Keeping your information safe’
EnergyAustralia said identification documentation like driving licenses and banking details were not stored in My Account portals (stock image)
EnergyAustralia will now require customers to create 12-character passwords that include a mix of capital and lower case letters, numbers and special characters.
The energy company said identification documentation like driving licenses and banking details were not stored in My Account portals.
The power giant warned customers not to be fooled by ‘phishing’ scams and fake emails which try to get them to click on genuine-looking but fraudulent links.
‘At first glance, fake EnergyAustralia emails might look convincing. They feature our company name, brand logo and colours, and even our ‘View bill’ icon which will be familiar to our customers who receive eBills.’
A ‘phish’ is a disguised email that tries to lure you to enter your password into a fake website or download malicious software.
The company’s chief customer officer Mark Brownfield apologised for the impact on customers.
‘While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information,’ he said.
EnergyAustralia is owned by the China Light and Power Company after it was sold by the Australian government for $1.4 billion in 2011.
Last month technology futurist and keynote speaker Shara Evans warned Australia was an easy target for international hackers.
The tech analyst said a particular weakness was Australian’s habit of sending sensitive data in unencrypted email.
She referred specifically to healthcare and insurance providers as companies that have sub-standard practices in terms of requesting sensitive customer information.
UNSW Institute for Cyber-Security Director Nigel Phair agreed that Australia is vulnerable online and said the threat was only growing.
‘We’ve got to do a lot better in Australia when it comes to cyber-crime,’ he said.