Alinta Energy accused of customer data protection failure
- 03 March, 2020 15:12
protecting_data-100683751-orig.jpg
Alinta Energy stands accused of potentially exposing the sensitive information of its 1.1 million customers because it lacks sufficient privacy protection systems.
A joint investigation between the ABC’s current affairs show 7.30 and The Sydney Morning Herald and The Age has revealed leaked documents appearing to indicate the energy giant has not had appropriate compliance and privacy monitoring systems in place to safeguard personal information.
As a business with a retail customer base, Alinta holds a swathe of personal details on customers including names, addresses, birth dates, mobile phone numbers and financial details. Leaked documents obtained by the ABC and the two newspapers appear to show Alinta has not adequately protected this sensitive information.
The Chinese-owned energy giant's written responses to 7.30 questions were also shared with CMO and state that at the beginning of 2019, Alinta initiated an audit by an independent third-party
to examine its approach to managing privacy across the organisation.
"The
audit report confirmed a number of positive aspects of our approach
alongside a number of opportunities to improve. Some elements, including
the need for a privacy management framework, privacy officer, encryption
standards and data strategy were highlighted and have been progressed," Alinta said in the statement
Alinta revealed in the statement it had one reportable data breach incident in January 2020
concerning a single individual and has met its compliance obligations in
addressing the issue. "The OAIC was satisfied with the process and remediation
and the matter has been closed," the statement read.
The sale of Alinta Energy, which took place in 2017, was approved by the Foreign Investment Review Board (FIRB), although it found the company's compliance and privacy monitoring systems appeared to be inadequate.
In its statement, Alinta confirmed the FIRB has approved a remediation plan and it is on track to complete the
activities within the agreed timeframe.
"Alinta Energy is treated as being in compliance with the conditions
imposed by FIRB, while it continues to implement remedial activities
endorsed by FIRB.
Remedial activities
will be completed by Dec 2020, the statement said.
Alinta Energy said it undertakes annual reviews using a third party-auditor to evaluate its security and
identify any areas of risk, and any significant risks which are identified are tracked through to
conclusion.
"In addition, when there are any significant changes to customer facing systems
we undertake web penetration testing and all significant findings are addressed prior to
release to production. Alinta Energy has in place an ongoing program of investment focussed
on improving our cybersecurity capabilities."
The Office of the Australian Information Commissioner, as well as the energy regulator, the Essential Services Commission are inquiring into Alinta’s processes following the story revealing it may not have adequately protected the personal information of its 1.1 million gas and electricity customers.
Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page, or join us on Facebook: https://www.facebook.com/CMOAustralia.