Across FY24, five Notifiable Data Breaches were reported, compared with three in FY23 and one in FY22. The increase in Notifiable Data Breaches reported is partly attributable to the elevated cybersecurity threat landscape being observed by AGL and the broader energy sector, but may also be partly attributable to AGL's improving ability to detect unusual and authorised account activity. AGL is also reliant on key third parties to maintain effective controls preventing unauthorised access. AGL continues to invest in tools, controls and management practices designed to reduce the likelihood of further notifiable data breaches, and to detect and remediate any breaches that occur in the future.
Incident title | Details |
|---|
MOVEit transfer | AGL transferred files to a consultant using MOVEit Transfer, a third-party file transfer software. On 3 June 2023, the consultant advised AGL that an unauthorised third party was able to gain access to the MOVEit Transfer system, which meant that AGL files transferred via MOVEit Transfer during this engagement, including personal information of AGL customers and a small number of other individuals and external bodies (Victoria and South Australia Police) were exposed.
Following investigations into this data breach and assessment of the likelihood of serious harm resulting, AGL reported a notifiable data breach to the Office of the Australian Information Commissioner as required under the Privacy Act 1988 on 3 July 2023 relating to 9 customers and 3 other individuals. All impacted individuals were contacted by AGL as required under the Privacy Act 1988. |
BPAY Fraud | As part of AGL’s regular account monitoring processes, unusual activity was detected that suggested a fraudulent third party may have gained unauthorised access to a small number of AGL customer’s online accounts (‘MyAccount’).
Where this unusual activity occurred, the fraudulent third party appeared to have access to the customer’s credentials enabling access to MyAccount. The third party made payments to the customer’s account, resulting in an account credit, and subsequently contacted AGL to request a refund into a specified bank account.
As part of undertaking this fraudulent activity, the third party gained access to impacted customer’s My Account, and as a result gained access to some personal information relating to these impacted customers.
Following investigations into this data breach and assessment of the likelihood of serious harm resulting, AGL reported a notifiable data breach to the Office of the Australian Information Commissioner as required under the Privacy Act 1988 on 21 July 2023 relating to eight customers. These customers were contacted by AGL as required under the Privacy Act 1988. |
MyAccount Compromise (Dec 2023) | On 28 November 2023 AGL’s Security Operations Centre identified unusual account activity that was suspected to be a ‘credential washing attack'. The activity included an unexpected spike in login attempts, both successful and unsuccessful, from a single IP address to AGL's digital platform, MyAccount.
Responding to this alert, AGL took immediate steps to prevent further attacks using a similar attack pattern, and to block access to potentially impacted customer accounts until remediated. Subsequent investigations identified that personal information associated with 42 customer accounts may have been fraudulently accessed through this attack.
Following investigations into this incident and assessment of the likelihood of serious harm resulting, AGL reported a notifiable data breach to the Office of the Australian Information Commissioner as required under the Privacy Act 1988 on 20 December 2023 relating to 42 customers. All impacted customers were contacted by AGL as required under the Privacy Act 1988. |
AFP | On 20 December 2023, the Australian Federal Police (AFP) informed AGL that a former AGL employee was being investigated for the theft of personal information relating to a small number of AGL customers.
The AFP provided AGL with screenshots that it alleged were taken by the former employees' mobile phone throughout December 2021 and February 2022. AGL reviewed the screenshots and confirmed that they contained the personal information of current or inactive (previous) AGL customers.
The AFP confirmed that there was no evidence to suggest that other AGL employees had engaged in the same or similar conduct as that engaged in by the former employee.
AGL reported a notifiable data breach to the Office of the Australian Information Commissioner as required under the Privacy Act 1988 on 18 January 2024 relating to 15 customers assessed as being likely to face serious harm as a result of the breach. All impacted customers were contacted by AGL as required under the Privacy Act 1988. |
International Caller | As part of its regular customer account monitoring processes, AGL identified potentially fraudulent activity involving a third party attempting to gain access to customer accounts.
Detailed investigations identified that an unknown third party had gained unauthorised access to a small number of customer accounts. As a result of this unauthorised access, personal information of these customers was able to be accessed.
Following investigations into this data breach and assessment of the likelihood of serious harm resulting, AGL reported a notifiable data breach to the Office of the Australian Information Commissioner as required under the Privacy Act 1988 on 9 May 2024 relating to 28 customers. All impacted customers were contacted by AGL as required under the Privacy Act 1988. |
NotesData comprises ‘eligible data breaches’ as defined in the Privacy Act 1988. An eligible data breach arises when there is unauthorised access, disclosure, or loss of personal information and AGL has not been able to prevent the likely risk of serious harm with remedial action. |
