Business Intelligence

AGL customer accounts were accessed by unauthorised third parties through AGL’s digital platform, My Account. Investigations performed by AGL identified that third parties contacted the impacted 1,549 AGL customers and represented themselves as either an agent of AGL or an energy broker, and advised the AGL customer that a One Time Code (OTC) was required to be sent to the customer’s phone or email address to verify the customer’s identity. The third parties subsequently triggered My Account to send an OTC to the customer’s phone or email address, and upon the customer reading this OTC out to the third party, enabled the third party to gain temporary access to the customer’s account via My Account. The OTC has been used by the third parties, together with either email or mobile details, to log into the customer’s online services with AGL. AGL believes the third parties may have obtained these email or mobile details through data sources outside of AGL.

AGL reported a notifiable data breach to the Office of the Australian Information Commissioner (“OAIC”) as required under the Privacy Act on 3 August 2022.

AGL’s fraud and privacy teams identified a suspected fraud pattern indicating fraudulent access to some specific customer accounts. As a result, AGL commenced a detailed investigation, and based on this investigation, notified the Office of the Australian Information Commissioner (OAIC) of a data breach under the Notifiable Data Breach Scheme.

Detailed analysis identified that 56 customer accounts had been fraudulently accessed by an unknown third party through the AGL call centre and webchat platform, which resulted in the third party obtaining access to customer account details through AGL’s digital platform, My Account, and webchat. The third party held substantial pre-existing customer information which was used to impersonate the affected customers when contacting the AGL call centre. The third party used that information to successfully authenticate themselves and change the customer's registered email address, thereby providing them an ability to gain access to the customer’s My Account through the use of the One Time Code (OTC).

AGL reported a notifiable data breach to the Office of the Australian Information Commissioner (“OAIC”) on 3 November 2022 as required under the Privacy Act.

A suspected fraud pattern was identified between 4 and 7 November 2022 following a system alert relating to abnormal login activity, indicating an unexpected spike in login attempts to AGL’s digital platform, My Account. Responding to this alert, AGL took immediate steps to prevent further attacks using a similar attack pattern, and to block access to potentially impacted customer accounts. An investigation was commenced which suggested that a large-scale credential washing exercise attack had been initiated by an unknown third party. This was evidenced by approximately 1.8 million login attempts to My Account, appearing to be made via a large bot-net utilising 20,000 distinct IP addresses.

Subsequent investigations identified that personal information associated with up to 757 customer accounts may have been fraudulently accessed through this attack. As a result of unauthorised access to My Account, personal information, such as name, address, phone number and email may have been compromised for the affected customers.

AGL reported a notifiable data breach to the Office of the Australian Information Commissioner (“OAIC”) on 2 December 2022 as required under the Privacy Act.