Alinta Energy accused of customer data protection failure

protecting_data-100683751-orig.jpg

Alinta Energy stands accused of potentially exposing the sensitive information of its 1.1 million customers because it lacks sufficient privacy protection systems. 

A joint investigation between the ABC’s current affairs show 7.30 and The Sydney Morning Herald and The Age has revealed leaked documents appearing to indicate the energy giant has not had appropriate compliance and privacy monitoring systems in place to safeguard personal information.

As a business with a retail customer base, Alinta holds a swathe of personal details on customers including names, addresses, birth dates, mobile phone numbers and financial details. Leaked documents obtained by the ABC and the two newspapers appear to show Alinta has not adequately protected this sensitive information.

The Chinese-owned energy giant's written responses to 7.30 questions were also shared with CMO and state that at the beginning of 2019, Alinta initiated an audit by an independent third-party to examine its approach to managing privacy across the organisation.

"The audit report confirmed a number of positive aspects of our approach alongside a number of opportunities to improve. Some elements, including the need for a privacy management framework, privacy officer, encryption standards and data strategy were highlighted and have been progressed," Alinta said in the statement

Alinta revealed in the statement it had one reportable data breach incident in January 2020 concerning a single individual and has met its compliance obligations in addressing the issue. "The OAIC was satisfied with the process and remediation and the matter has been closed," the statement read.

The sale of Alinta Energy, which took place in 2017, was approved by the Foreign Investment Review Board (FIRB), although it found the company's compliance and privacy monitoring systems appeared to be inadequate.

In its statement, Alinta confirmed the FIRB has approved a remediation plan and it is on track to complete the activities within the agreed timeframe.

"Alinta Energy is treated as being in compliance with the conditions imposed by FIRB, while it continues to implement remedial activities endorsed by FIRB. Remedial activities will be completed by Dec 2020, the statement said.

Alinta Energy said it undertakes annual reviews using a third party-auditor to evaluate its security and identify any areas of risk, and any significant risks which are identified are tracked through to conclusion.

"In addition, when there are any significant changes to customer facing systems we undertake web penetration testing and all significant findings are addressed prior to release to production. Alinta Energy has in place an ongoing program of investment focussed on improving our cybersecurity capabilities."

The Office of the Australian Information Commissioner, as well as the energy regulator, the Essential Services Commission are inquiring into Alinta’s processes following the story revealing it may not have adequately protected the personal information of its 1.1 million gas and electricity customers.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.