EnergyAustralia struck by cyber breach attacking ‘weakness in password rules’

EnergyAustralia is the latest company to suffer a cyber-security breach, this time an attack on the customer portal that exposed the account information of hundreds of customers.

The electricity and gas provider admitted in a statement late Friday that 323 residential and small business customers had their accounts accessed via the company’s MyAccount portal in September-October 2022.

This is the latest in a string of data breaches in corporate Australia, most notably Optus and Medibank Private, but also including wine retailer Vinomofo and Woolworths’ MyDeal website.

The issue of cyber-security has also shot to greater public prominence because of mandatory disclosure laws under the “Notifiable Data Breaches” scheme in place since February 2018.

EnergyAustralia said 323 customer accounts were accessed in a cyber-security incident, but no other systems were breached.Credit:Paul Jones

An EnergyAustralia spokesperson told this masthead the company had not been in contact with the hackers, but picked up suspicious activity in routine monitoring and investigated further. They then discovered a bot, or automated software, accessing accounts through the portal. The spokesperson said the company shut down the MyAccount portal immediately to stop further accounts from being compromised and could see from reviewing the logs exactly how many accounts were accessed.

The information visible would be the same as what is available to a logged-in customer, including name, address, and electricity or gas usage. The company does not know for sure whether this information was transferred outside the EnergyAustralia system but has stressed there was no evidence it had.

The company said no other EnergyAustralia systems were affected.

In the statement, EnergyAustralia chief customer officer Mark Brownfield apologised for the concern this would cause to customers, saying it was a small number of accounts and everyone affected had been directly contacted.

Brownfield said the company had been adding extra layers of security, including forcing all customers to upgrade to 12-character passwords. The current requirement is a password of eight characters.

“We recognise the transition to more secure passwords won’t be easy for all our customers, however, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity,” he said.

Robert Potter, cyber-security researcher and chief executive of Internet 2.0, said it was entirely possible only 323 accounts were accessed in what was a common and unsophisticated attack.

“They’ve been pretty open that there was probably a weakness in the password rules,” he said.

“That’s, in my view, not a huge mistake. The more complex you make things for users, you do make it more secure, but you also make it harder on people’s grandparents to get this stuff working, so there’s a balance.”

Potter said EnergyAustralia’s explanation was plausible, but it would be “getting the full scrutiny of the market” because of recent cases where other companies had mishandled communication about data breaches.

On Thursday, Medibank Private admitted that hackers had stolen sensitive health information from 1 million customers, after initially stressing it had no evidence that sensitive information had been accessed.

Earlier this month, Optus fell prey to one of the biggest data breaches in Australian history, involving 9.8 million customers. The company described it as a sophisticated attack but Home Affairs Minister Clare O’Neil and most cyber-security experts have disputed this.

Potter said the mandatory disclosure rules meant the public was now hearing about data breaches that would have once been kept secret. He said companies should take time for a full investigation before rushing out statements that might turn out to be inaccurate.

The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.

Most Viewed in Technology

From our partners

Source: Read Full Article