Alinta Energy accused of putting customers’ sensitive information at risk
7.30 By Adele Ferguson and Chris Gillett
Updated 2 March 2020
Alinta Energy may be putting the personal information of its 1.1 million gas and electricity customers at risk.
- The sale of Alinta Energy to Chinese company Chow Tai Fook was approved by then-treasurer Scott Morrison in 2017
An investigation has found Alinta Energy may not have proper systems in place to protect sensitive customer information
Alinta Energy may have failed to protect customers’ Medicare and passport numbers, credit card details and, in some cases, health records
Leaked documents obtained by 7.30, The Age and The Sydney Morning Herald reveal the Chinese-owned energy giant does not appear to have proper systems in place to protect sensitive customer information.
Through its retail operations Alinta collects names, addresses, birth dates, mobile numbers, Medicare and passport numbers, credit card details and, in some cases, individual health records.
*A series of internal documents provided by a whistleblower show that almost three years after the then-treasurer Scott Morrison approved the sale of Alinta to Chinese company Chow Tai Fook on advice from the Foreign Investment Review Board (FIRB), the company’s compliance and privacy monitoring systems appear to be inadequate.
One document, a June 2019 privacy compliance audit by its internal auditor EY, said access to personal information “was not adequately monitored or controlled” and Alinta may not be adequately protecting personal information, resulting in potential unauthorised access.
‘Reckless approach to privacy and data’: whistleblower
*Chow Tai Fook was given approval to buy Alinta for $4 billion in April 2017 on the proviso it would satisfy a series of conditions that were not made public.
Leaked documents include a list of more than 10 secret FIRB conditions which largely relate to data security. Conditions include that all data must be stored within Australia and can only be accessed within Australia.
“There clearly wasn’t much pre-vetting or due diligence done in the sale of Alinta, otherwise how could they [the government] allow a company with such a reckless approach to privacy and data to be sold to an overseas company?” the whistleblower said.
In a statement, a spokesperson for Alinta Energy said the company took “compliance with privacy laws seriously” and customer data was stored in “secure data centres in Australia”.
The spokesperson said the independent audit in 2019 highlighted “the need for a privacy management framework, privacy officer, encryption standards and data strategy … and have been progressed”.
They said Alinta Energy had “one reportable data breach incident” in January this year concerning a single individual and it had met its compliance obligations addressing the issue.
“On an annual basis Alinta Energy engages a third-party auditor to evaluate our security and identify any areas of risk. Any significant risks which are identified are tracked through to conclusion,” the spokesperson said.
When asked if it was complying with FIRB conditions, the spokesperson said “Alinta is treated as being in compliance with the conditions imposed by FIRB while it continues to implement remedial activities endorsed by FIRB”.
A spokeswoman for Treasury said: “We can confirm that Alinta Energy is engaging constructively with the Foreign Investment Review Board to implement remedial activities endorsed by FIRB. Remedial activities will be completed by December 2020.
“Whilst FIRB is engaging with Alinta it would not be appropriate to comment further.”
‘It went from nothing to bankruptcy’
Under the new owners, Alinta has been aggressively signing up more than 2,000 new customers a day. It has also seen customer complaints rise, with some customers complaining of heavy-handed tactics, including threats of bankruptcy.
CAAN: We have been approached by Alinta Sales Reps corraling customers in busy shopping centres offering so-called good deals … it would appear to steal customers from their opposition …
The White family, a second-generation dairy farming family in Victoria, received a bankruptcy notice in late November 2019 after missing a $2,000 payment on an electricity bill.
“There was no letter saying, you know, your account will be disconnected. It went from nothing to bankruptcy right before Christmas,” Carolyn White said.
CAAN: What bully-boy tactics from Alinta … with people leading such busy lives they often forget to pay an account! Or in this case facing very difficult circumstances!
The family sold assets to repay the outstanding debt but in mid-January, as it was fighting bushfires, Alinta wanted it to pay its legal bills.
On January 31 the Federal Circuit Court ordered the petition be dismissed and ordered Alinta to pay the Whites’ costs of $6,824.80.
A spokesperson for Alinta Energy told 7.30 they could not comment on the specifics of a customer’s case for privacy reasons, but said “bankruptcy notices are used only as a last resort”.
“In the last four years, Alinta Energy has issued 13 bankruptcy notices and note that only one of these has resulted in a bankruptcy.”
Watch this story tonight on 7.30.