Alinta Energy is under investigation by the Essential Services Commission (Australian energy regulator). It follows a media investigation by The Age, Herald and ABC’s 7.30 that exposes gaping holes in the way it protects the personal information of its 1.1 million customers.
This investigation is part of a long story starting three years ago after the sale of Alinta Energy to 100% Chinese-owned Chow Tai Fook Enterprises.
A series of leaked Alinta documents show the company’s privacy systems remain inadequate. One internal document said Alinta “may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws”. The material also includes a list of more than ten secret FIRB conditions, which largely relate to data security. Few, if any critical ones are complete.
The Alinta scandal
It started in 2018 when Alinta energy was fined $300,000 for allegedly transferring customers without their consent.
Alinta confirmed that it had identified 24 cases of fraudulent behaviour by a third-party sales channel. This included submitting sales without obtaining customer consent. It had reported them to the relevant authorities and had no longer had a relationship with any of the companies involved.
Alinta reported eight cases of fraud to the Australian Energy Regulator and Essential Services Commission in March 2019.
But what that meant is some families were exposed to heavy-handed tactics including bankruptcy. Other customers were subject to sheriff’s notices for late-payments and other customers signed up without their consent.
This is not the first time Alinta Energy has been under the ACCC’s watchful eyes.
What does Alinta (and its partners) know about its customers?
Alinta operates a small local call centre in Perth. We understand the bulk of the calls go to Cebu and Manila in the Philippines.
Alinta collects names, addresses, birth dates, mobile numbers, Medicare, credit card details, drivers’ licence, passport and in some cases, individual health information.
An internal privacy compliance audit by EY in June 2019 found Alinta’s privacy compliance had significant risks in critical areas.
Alinta did not correctly monitor, control or protect access to personal information, raising the potential risk of unauthorised access.
The audit found the electricity and gas retailer was also inconsistent in de-identifying and destroying information when no longer needed.
‘We identified most areas (of Alinta Energy) were not aware of a policy that outlines retention, disposal and de-identification requirements,’ said the audit, published by the Sydney Morning Herald.
Alinta’s privacy terms are here and allow it to do whatever it pleases with the information.
We also collect, use and disclose your personal information to contact you and provide you with information on products and services that we or third parties offer, competitions and other marketing information that we think that you might be interested in, even after you cease acquiring products or services from us.