EnergyAustralia Electricity company discloses security breach

Electricity company EnergyAustralia suffered a security breach, threat actors had access to information on 323 customers.

Another Australian organization was hit by a severe cyber attack, this time the victim is the Electricity company EnergyAustralia. EnergyAustralia is the country’s third-largest energy retailer.

The company confirmed that threat actors had access to information on 323 residential and small business customers but ‘no evidence’ of data exfiltration.

According to a statement released on Friday, the compromised data were stored on the company’s online platform, My Account, and included customer names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of their credit cards.

EnergyAustralia pointed out that sensitive data, such as passwords, banking information, driver licences, or passports, were not compromised because they were not stored on the platform.

“There is no evidence that customer information was transferred outside of EnergyAustralia’s systems, and importantly, identification documentation, such as driver’s licences or passports, and banking information, are not stored on My Account,” the energy company said of the hack that occurred on September 30.” reads the statement published by the company. “It added that impacted customers had been contacted by text and email on October 2 with a prompt to reset their passwords.”

The breach occurred on 30 September, the company believes the attack was carried out using a bot.

The company notified the affected users on 2 October, it also reported the incident to regulatory authorities and law enforcement.

The company reset customers’ passwords and forced the use of 12-character strong passwords.

EnergyAustralia chief customer officer, Mark Brownfield, apologised for the security breach.

“We apologise for the concern that this issue may have caused our customers,” Brownfield said.

“While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information.”

“This now includes the implementation of 12-character passwords. We recognise the transition to more secure passwords won’t be easy for all our customers, however, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity.”

Other major Australian organizations recently suffered security breaches, including Optus and Medibank.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EnergyAustralia)

[adrotate banner=”5″]

[adrotate banner=”13″]