Business Intelligence
Reportable privacy incidents
Across FY23, AGL identified and reported three separate Notifiable Data Breaches to the Office of the Australian Information Commissioner. All three cases involved an external threat actor attempting to gain access to customer personal information through obtaining access to the customer's account details with AGL. In each case, AGL has conducted a detailed analysis of the root cause of the incident, and implemented additional targeted controls or strategies to reduce the likelihood of an incident occurring with the same or a similar attack pattern. However, due to the existing elevated threat landscape relating to personal information, AGL continues to investigate further strategies to prevent unauthorised access to customer data.
Item title | Details |
---|---|
Notifiable Data Breach: OTC Social Engineering | AGL customer accounts were accessed by unauthorised third parties through AGL’s digital platform, My Account. Investigations performed by AGL identified that third parties contacted the impacted 1,549 AGL customers and represented themselves as either an agent of AGL or an energy broker, and advised the AGL customer that a One Time Code (OTC) was required to be sent to the customer’s phone or email address to verify the customer’s identity. The third parties subsequently triggered My Account to send an OTC to the customer’s phone or email address, and upon the customer reading this OTC out to the third party, enabled the third party to gain temporary access to the customer’s account via My Account. The OTC has been used by the third parties, together with either email or mobile details, to log into the customer’s online services with AGL. AGL believes the third parties may have obtained these email or mobile details through data sources outside of AGL. |
Notifiable Data Breach: International Caller | AGL’s fraud and privacy teams identified a suspected fraud pattern indicating fraudulent access to some specific customer accounts. As a result, AGL commenced a detailed investigation, and based on this investigation, notified the Office of the Australian Information Commissioner (OAIC) of a data breach under the Notifiable Data Breach Scheme. |
Notifiable Data Breach: Password Stuffing Bot Attack | A suspected fraud pattern was identified between 4 and 7 November 2022 following a system alert relating to abnormal login activity, indicating an unexpected spike in login attempts to AGL’s digital platform, My Account. Responding to this alert, AGL took immediate steps to prevent further attacks using a similar attack pattern, and to block access to potentially impacted customer accounts. An investigation was commenced which suggested that a large-scale credential washing exercise attack had been initiated by an unknown third party. This was evidenced by approximately 1.8 million login attempts to My Account, appearing to be made via a large bot-net utilising 20,000 distinct IP addresses. |
Notes
Data comprises ‘eligible data breaches’ as defined in the Privacy Act 1988. An eligible data breach arises when there is unauthorised access, disclosure, or loss of personal information and AGL has not been able to prevent the likely risk of serious harm with remedial action.