Iamge from https://www.dailymail.co.uk/news/article-8063005/How-Chinese-owned-energy-provider-private-data-MILLION-Australians-risk.html
Alinta Energy is under investigation by the Essential Services Commission (Australian energy regulator). It follows a media investigation by The Age, Herald and ABC’s 7.30 that exposes gaping holes in the way it protects the personal information of its 1.1 million customers.
This investigation is part of a long story starting three
years ago after the sale of Alinta Energy to 100% Chinese-owned Chow Tai Fook Enterprises.
A series of leaked Alinta documents show the company’s privacy systems remain inadequate. One internal document said Alinta “may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws”. The material also includes a list of more than ten secret FIRB conditions, which largely relate to data security. Few, if any critical ones are complete.
The Alinta scandal
It started in 2018 when Alinta energy was fined $300,000 for
allegedly transferring customers without their consent.
Alinta confirmed that it had identified 24 cases of fraudulent behaviour by a third-party sales channel. This included submitting sales without obtaining customer consent. It had reported them to the relevant authorities and had no longer had a relationship with any of the companies involved.
Alinta reported eight cases of fraud to the Australian Energy Regulator and Essential Services Commission in March 2019.
It was using Electricity Monster (Australian operations but also allegedly a Chinese-owned firm) to sign up retail customers. Its Privacy terms have gaping holes.
But what that meant is some families were exposed to heavy-handed tactics including bankruptcy. Other customers were subject to sheriff’s notices for late-payments and other customers signed up without their consent.
What does Alinta (and its partners) know about its customers?
Alinta operates a small local call centre in Perth. We understand the bulk of the calls go to Cebu and Manila in the Philippines.
Alinta collects names, addresses, birth dates, mobile
numbers, Medicare, credit card details, drivers’ licence, passport and in some
cases, individual health information.
An internal privacy compliance audit by EY in June 2019
found Alinta’s privacy compliance had significant risks in critical areas.
Alinta did not correctly monitor, control or protect access to personal information, raising the potential risk of unauthorised access.
The audit found the electricity and gas retailer was also
inconsistent in de-identifying and destroying information when no longer
‘We identified most areas (of Alinta Energy) were not aware
of a policy that outlines retention, disposal and de-identification
requirements,’ said the audit, published by the Sydney Morning Herald.
Alinta’s privacy terms are here
and allow it to do whatever it pleases with the information.
We also collect, use and disclose your personal
information to contact you and provide you with information on products and
services that we or third parties offer, competitions and other
marketing information that we think that you might be interested in, even
after you cease acquiring products or services from us.
We may disclose it to
Alinta Energy contractors, suppliers and
agents who assist Alinta Energy in providing products and services or
marketing to you;
Other organisations who in conjunction with
us provide energy supply services or assist us in our business operations
Some of our service providers are located or operate
outside of Australia. Accordingly, your personal information may be disclosed
by us to those service providers, who are located in Philippines, Indonesia and
But perhaps the most significant oversight is that nowhere
on its website or materials does it disclose its 100% Chinese-ownership. It appears
to go out of its way to look very Australian.
GadgetGuy’s take – Alinta is the tip of a vast privacy iceberg
We don’t know if what Alinta did was right or wrong, good or bad. What we do know is that personal data is a commodity. It is all too easy to steal, hack and misuse – especially if the owner is subject to the laws of a foreign government.
Yet again we warn you to read privacy terms and look at ownership
pedigrees. The information collected by Alinta is precisely what cybercriminals
salivate over for ID Theft. That the FIRB requirements are still outstanding
four years later is shocking.
Labor shadow treasurer Jim Chalmers and ALP senator Deborah O’Neill spoke have directly accused the Chinese company owned company of identity theft (presumably under Parliamentary Privilege).