EnergyAustralia has become the latest company to fall victim to a cyber attack, with hundreds of people impacted.
The electricity company said the breach involved unauthorised access of the online platform My Account, exposing the data of 323 residential and small business customers.
Accounts include the customer’s name, address, email address, electricity and gas bills, phone number, and the first six and last three digits of credit cards.
Users are now required to implement 12-character passwords, including a mix of capital and lower case letters, numbers and special characters.
Previously, one eight characters were required for passwords.
EnergyAustralia said there was no evidence customer information was transferred outside of the company’s systems.
Identification documentation, such as driver’s licences and banking information, are not stored on My Account.
The incident happened on September 30 and the affected users were contacted by October 2.
Regulatory authorities and government agencies have also been briefed.
EnergyAustralia chief customer officer Mark Brownfield apologised for the concern caused to customers.
“While this incident was limited in terms of customers affected, we take the security of customer information seriously and have been working hard to put in place additional layers of security to ensure the protection of all customer information,” he said.
“This now includes the implementation of 12-character passwords.
“We recognise the transition to more secure passwords won’t be easy for all our customers, however, this incident and other recent cyber incidents have highlighted this is where we need to go with password complexity.”
It comes after Medibank and Optus were both victims of major breaches.
Medibank said it was contacted by a criminal claiming to have stolen 200GB of data.
Data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
The criminal claims to have stolen other information, including data related to credit cards, which has not yet been verified.
This cyber incident is now the subject of an investigation by the Australian Federal Police.
Optus has appointed the firm Deloitte to conduct an independent external review of its recent cyber attack, as well as its security systems, controls and processes.