EnergyAustralia hit by cyber-attack after Optus, Medibank Private

EnergyAustralia is the latest company to suffer a cyber-security breach, this time an attack on the customer portal that exposed the account information of hundreds of customers.

The electricity and gas provider admitted in a statement late Friday that 323 residential and small business customers had their accounts accessed via the company’s MyAccount portal in September-October 2022.

This is the latest in a string of data breaches in corporate Australia, most notably Optus and Medibank Private, but also including wine retailer Vinomofo and Woolworths’ MyDeal website.

The issue of cyber-security has also shot to greater public prominence because of mandatory disclosure laws under the “Notifiable Data Breaches” scheme in place since February 2018.

EnergyAustralia said 323 customer accounts were accessed in a cyber-security incident, but no other systems were breached.

EnergyAustralia said 323 customer accounts were accessed in a cyber-security incident, but no other systems were breached.Credit:Paul Jones

An EnergyAustralia spokesperson told this masthead the company had not been in contact with the hackers, but picked up suspicious activity in routine monitoring and investigated further. They then discovered a bot, or automated software, accessing accounts through the portal. The spokesperson said the company shut down the MyAccount portal immediately to stop further accounts from being compromised and could see from reviewing the logs exactly how many accounts were accessed.

The information visible would be the same as what is available to a logged-in customer, including name, address, and electricity or gas usage. The company does not know for sure whether this information was transferred outside the EnergyAustralia system but has stressed there was no evidence it had.

The company said no other EnergyAustralia systems were affected.

In the statement, EnergyAustralia chief customer officer Mark Brownfield apologised for the concern this would cause to customers, saying it was a small number of accounts and everyone affected had been directly contacted.

Brownfield said the company had been adding extra layers of security, including forcing all customers to upgrade to 12-character passwords. The current requirement is a password of eight characters.

Source link