EnergyAustralia has become the latest Australian business to face a cyberattack, exposing the personal information of hundreds of clients. In a disclosure, the Australian power and gas supply utility said 323 household and small business clients were impacted by unauthorised access to its online platform, My Account.
Meanwhile, the Australian government plans to introduce legislation to increase penalties for privacy breaches.
The latest incident
‘My Account’ is EnergyAustralia’s platform where customers can access general account information including usage and bills.
“The incident occurred Friday, 30 September. My Account was taken offline as a precaution after we identified the incident and affected customers’ accounts were promptly locked,” said the company FAQ on the incident.
Customer information associated with such accounts includes names, addresses, email addresses, energy and gas bills, phone numbers, and the first six and last three digits of their credit cards. The business said there was no proof that consumer information was leaked outside of its platform.
Following the incident, EnergyAustralia has implemented 12-character passwords on its My Account online customer platform, it announced.
The legal action
The Australian government is planning a legislation that will increase the maximum fine for serious or recurring privacy breaches to A$50 million ($32 million). The current penalty level is A$2.22 million.
The plan is to impose a financial penalty of three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period, whichever is greater.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate,” Attorney General Mark Dreyfus said in a statement. “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”