Alinta Energy is under investigation by the Essential Services Commission (Australian energy regulator). It follows a media investigation by The Age, Herald and ABC’s 7.30 that exposes gaping holes in the way it protects the personal information of its 1.1 million customers.
This investigation is part of a long story starting three years ago after the sale of Alinta Energy to 100% Chinese-owned Chow Tai Fook Enterprises.
A series of leaked Alinta documents show the company’s privacy systems remain inadequate. One internal document said Alinta “may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws”. The material also includes a list of more than ten secret FIRB conditions, which largely relate to data security. Few, if any critical ones are complete.
The Alinta scandal
It started in 2018 when Alinta energy was fined $300,000 for allegedly transferring customers without their consent.
Alinta confirmed that it had identified 24 cases of fraudulent behaviour by a third-party sales channel. This included submitting sales without obtaining customer consent. It had reported them to the relevant authorities and had no longer had a relationship with any of the companies involved.
Alinta reported eight cases of fraud to the Australian Energy Regulator and Essential Services Commission in March 2019.
But what that meant is some families were exposed to heavy-handed tactics including bankruptcy. Other customers were subject to sheriff’s notices for late-payments and other customers signed up without their consent.
This is not the first time Alinta Energy has been under the ACCC’s watchful eyes.
What does Alinta (and its partners) know about its customers?
Alinta operates a small local call centre in Perth. We understand the bulk of the calls go to Cebu and Manila in the Philippines.
Alinta collects names, addresses, birth dates, mobile numbers, Medicare, credit card details, drivers’ licence, passport and in some cases, individual health information.
An internal privacy compliance audit by EY in June 2019 found Alinta’s privacy compliance had significant risks in critical areas.
Alinta did not correctly monitor, control or protect access to personal information, raising the potential risk of unauthorised access.
The audit found the electricity and gas retailer was also inconsistent in de-identifying and destroying information when no longer needed.
‘We identified most areas (of Alinta Energy) were not aware of a policy that outlines retention, disposal and de-identification requirements,’ said the audit, published by the Sydney Morning Herald.
Alinta’s privacy terms are here and allow it to do whatever it pleases with the information.
We also collect, use and disclose your personal information to contact you and provide you with information on products and services that we or third parties offer, competitions and other marketing information that we think that you might be interested in, even after you cease acquiring products or services from us.
We may disclose it to
- Alinta Energy contractors, suppliers and agents who assist Alinta Energy in providing products and services or marketing to you;
- Other organisations who in conjunction with us provide energy supply services or assist us in our business operations and activities;
Some of our service providers are located or operate outside of Australia. Accordingly, your personal information may be disclosed by us to those service providers, who are located in Philippines, Indonesia and New Zealand.
But perhaps the most significant oversight is that nowhere on its website or materials does it disclose its 100% Chinese-ownership. It appears to go out of its way to look very Australian.
GadgetGuy’s take – Alinta is the tip of a vast privacy iceberg
We don’t know if what Alinta did was right or wrong, good or bad. What we do know is that personal data is a commodity. It is all too easy to steal, hack and misuse – especially if the owner is subject to the laws of a foreign government.
Yet again we warn you to read privacy terms and look at ownership pedigrees. The information collected by Alinta is precisely what cybercriminals salivate over for ID Theft. That the FIRB requirements are still outstanding four years later is shocking.
Labor shadow treasurer Jim Chalmers and ALP senator Deborah O’Neill spoke have directly accused the Chinese company owned company of identity theft (presumably under Parliamentary Privilege).
There is a comprehensive article at the Brisbane Times.