EnergyAustralia has become the latest company to be targeted by a cyber-attack, with hundreds of customers’ details exposed.
In a statement released late on Friday, the electricity company said 323 residential and small business customers were affected by unauthorised access to their online platform, My Account.
Details including customer names, addresses, email addresses, electricity and gas bills, phone numbers and the first six and last three digits of their credit cards are all included with those accounts.
The company said there was “no evidence” customer details were transferred outside the company’s platform.
They also said sensitive documents such as driver licences or passports were not stored on the platform.
“There is no evidence that customer information was transferred outside EnergyAustralia’s systems, and importantly, identification documentation, such as driver’s licences or passports, and banking information, are not stored on My Account.”
“This information remains secure. No other EnergyAustralia systems were affected.”
Customers are now required to implement 12-character passwords, which will have to include a mix of capital and lower case letters, numbers and special characters.
Only eight characters were previously required for account passwords.
The breach occurred on 30 September, and affected users were contacted on 2 October, with the company also briefing regulatory authorities and government agencies.
EnergyAustralia chief customer officer, Mark Brownfield, apologised for the breach in the statement, urging customers to change their passwords.
“We apologise for the concern that this issue may have caused our customers,” he said.
“While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information.
“This now includes the implementation of 12-character passwords. We recognise the transition to more secure passwords won’t be easy for all our customers, however, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity.”
The breach comes after Optus and Medibank were recently the targets of major cyber-attacks.
Cybercriminals claim to have stolen 200 gigabytes of customer data from Medibank, which potentially includes personal details such as medical procedures and diagnoses, addresses, Medicare numbers and credit card information.
The company “unreservedly” apologised for the data breach, with the company working with the Australian Signals Directorate and the Australian federal police.
