Q. What is My Account?
My Account is a customer platform where customers can access general account information including usage and bills.
Q. What information is stored on My Account?
Details stored on My Account include the customer’s name, address, email address, electricity and gas bills, phone number and the first six and last three digits of credit cards.
Q. When did the incident occur?
The incident occurred Friday, 30 September. My Account was taken offline as a precaution after we identified the incident and affected customers’ accounts were promptly locked.
All customers impacted were contacted on Sunday, 2 October, by SMS and email and were advised to call our contact centre from 9.00am on Monday, 3 October. Follow-up outbound calls to affected customers were also made during the week.
Q. What information was accessed in this cyber-attack?
The incident resulted in the exposure of MyAccount data for 323 residential and small business customers. Details include the customer’s name, address, email address, electricity and gas bills, phone number and the first six and last three digits of credit cards.
There is no evidence that customer information was transferred outside of EnergyAustralia’s systems.
Identification documentation, such as driver’s licences or passports, and banking information, are not stored on My Account. This information remains secure.
Q. How many customers were affected by the cyber-attack?
This incident affected 323 residential and small business customers.
Q. Have affected customers been contacted by EnergyAustralia?
Yes. We contacted customers via SMS and email on Sunday, 2 October asking them to contact EnergyAustralia to have their access to My Account restored and to notify them of the incident. Follow-up outbound calls to affected customers were also made during the week.
Q. Why did it take so long for you to contact customers?
We undertook the necessary account reviews over the weekend, 1-2 October, to have a full picture. During this time, My Account was offline and subsequently, affected customer accounts were locked. We contacted customers from 3.00pm Sunday, 2 October. Customers could reach the contact centre to unlock their accounts via a dedicated line from 9.00am on Monday, 3 October.
Q. How will customers know if their My Accounts were compromised?
Every customer affected has had their My Account locked to manage account security and limit the potential for exposure. We sent a message to customers by SMS and email around 3.00pm on Sunday, 2 October asking them to contact EnergyAustralia to have their access to My Account restored.
Q. Are personal identification documents stored on My Account?
Identification documentation, such as driver’s licences or passports, and banking information, were not accessed. This information is not stored on My Account and remains secure. No other EnergyAustralia systems were affected.
Q. Have you advised the relevant regulators and Ministers?
We have updated relevant regulators along with key government offices following the incident, and we continue to provide updates as information becomes available. We continue to provide updates to regulators and governments as more information becomes available.
Q. What kind of cyber-attack was it?
The attack was automated using a bot.