EnergyAustralia Electricity company discloses security breach

Electricity company EnergyAustralia suffered a security breach, threat actors had access to information on 323 customers.

Another Australian organization was hit by a severe cyber attack, this time the victim is the Electricity company EnergyAustralia. EnergyAustralia is the country’s third-largest energy retailer.

The company confirmed that threat actors had access to information on 323 residential and small business customers but ‘no evidence’ of data exfiltration.

According to a statement released on Friday, the compromised data were stored on the company’s online platform, My Account, and included customer names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of their credit cards.

EnergyAustralia pointed out that sensitive data, such as passwords, banking information, driver licences, or passports, were not compromised because they were not stored on the platform.

“There is no evidence that customer information was transferred outside of EnergyAustralia’s systems, and importantly, identification documentation, such as driver’s licences or passports, and banking information, are not stored on My Account,” the energy company said of the hack that occurred on September 30.” reads the statement published by the company. “It added that impacted customers had been contacted by text and email on October 2 with a prompt to reset their passwords.”

The breach occurred on 30 September, the company believes the attack was carried out using a bot.

The company notified the affected users on 2 October, it also reported the incident to regulatory authorities and law enforcement.

The company reset customers’ passwords and forced the use of 12-character strong passwords.

EnergyAustralia chief customer officer, Mark Brownfield, apologised for the security breach.

“We apologise for the concern that this issue may have caused our customers,” Brownfield said.

“While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information.”

“This now includes the implementation of 12-character passwords. We recognise the transition to more secure passwords won’t be easy for all our customers, however, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity.”

Other major Australian organizations recently suffered security breaches, including Optus and Medibank.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EnergyAustralia)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.