Australian Energy Utility Incident, 23 October 2022

Electricity and gas retailer EnergyAustralia has disclosed a breach of its MyAccount platform

The company says affected 323 small business and residential customers and was automated through use of a password bot

Company Statement: Frequently Asked Questions – My Account password update and cyber security
Source: EnergyAustralia portal compromised, details of 323 customers leaked | iTWire

View more incidents from EnergyAustralia and the Utilities sector.

In a statement issued on Friday, the company said the breach had taken place on 30 September and it informed customers the following Sunday. The platform was taken offline after the breach was discovered. All customers impacted were contacted on Sunday, 2 October, by SMS and email and were advised to call our contact centre from 9.00am on Monday, 3 October. Follow-up outbound calls to affected customers were also made during the week.

The MyAccount platform stores customers’ names, address, email address, electricity and gas bills, phone numbers, and the first six and last three digits of credit card numbers. The company added that identification documents, such as passport details or drivers’ licence details, were not stored on the platform.

The company has now implemented 12-character passwords for MyAccount users which should have a mix of capital and lowercase letters, numbers and special characters. Prior to the incident, eight-character passwords with a mix of capital and lowercase letters and numbers were used. “However, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity.”