EnergyAustralia customers data exposed after Optus, Medibank cyberattacks by hackers

One of Australia’s largest energy companies has become the latest victim of a series of cyber-attacks as the private information of hundreds of customers is revealed.

China’s EnergyAustralia announced Friday evening that the personal data of 323 small businesses and private accounts had been hacked.

The breach took place through its My Account portal, the energy company says in statements on its website and social media accounts.

Accounts contain information such as name, address, email address, utility bills, phone number, and the first six and last three digits of credit cards.

The cyber attack comes after the personal data of 11 million Optus and 1 million Medibank customers were hacked in the past two months.

The breach took place through the My Account portal, EnergyAustralia revealed Friday in statements on its website and social media accounts (stock image)

The energy giant, which has 1.7 million electricity and gas customers, mostly in the eastern states, disclosed the breach in a Facebook post Friday.

“Unfortunately, our My Account portal was the target of a cyber incident in September-October 2022, resulting in data exposure for 323 private and small business customers,” the message reads.

EnergyAustralia tried to reassure its customers that the hack had been minimal and that everyone involved had been contacted.

“There is no evidence that information from the 323 customers passed outside our systems during the incident,” the report said.

“No other EnergyAustralia systems were affected.”

The accounts were hacked on September 30 and the affected customers were contacted on October 2.

The energy giant, which has 1.7 million electricity and gas customers, mostly in the eastern states, admitted the breach in a Facebook post titled “Keeping your information safe.”

EnergyAustralia said identification documentation such as driver’s licenses and bank details are not stored in My Account portals (stock image)

EnergyAustralia now requires customers to create 12 character passwords that contain a combination of upper and lower case letters, numbers and special characters.

The energy company said identification documents such as driver’s licenses and bank details were not stored in My Account portals.

The energy giant warned customers not to be fooled by ‘phishing’ scams and fake emails that try to get them to click on real-looking but fraudulent links.

“At first glance, fake EnergyAustralia emails may seem convincing. They feature our company name, brand logo and colors, and even our ‘View Invoice’ icon which will be familiar to our customers who receive eBills.’

A “phish” is a disguised email that tries to trick you into entering your password on a bogus website or downloading malicious software.

The company’s chief customer officer, Mark Brownfield, apologized for the impact on customers.

“While this incident was limited in terms of affected customers, we take customer information security seriously and have worked hard to implement additional layers of security to ensure the protection of all customer information,” he said.

EnergyAustralia is owned by the China Light and Power Company after it was sold by the Australian government in 2011 for $1.4 billion.

Last month, technology futurist and keynote speaker Shara Evans warned that Australia is an easy target for international hackers.

The tech analyst said one particular weakness was Australia’s habit of sending sensitive data in unencrypted email.

She specifically referred to health care and insurance providers as companies that have substandard practices in retrieving sensitive customer information.

UNSW Institute for Cyber-Security director Nigel Phair agreed that Australia is vulnerable online and said the threat was only growing.

“We need to do much better in Australia when it comes to cybercrime,” he said.