2022 will go down as the worst year on record for cyber incidents in Australia. After recent cyber incidents at Optus and Medibank, now thousands of customers of energy giant AGL, have now been impacted.
I want to be very clear, this incident appears to be very different to both the Optus and Medibank cyber events, it doesn’t involve an unsecured API and the incident doesn’t involve sensitive medical history, it also appears to be much smaller in scale, yet still important for those customers impacted.
I first received a report from an AGL customer around 7 PM last night. This customer reported an issue with their AGL account and had been unable to log in to their MyAccount page for the last 5 days. This meant they were unable to manage their account for 3 different services they have with AGL, Electricity, Gas and Internet.
After calling AGL support, the impacted customer spoke with a consultant and received verbal confirmation a data breach has occurred.
This customer could not access their account as it had been locked due to a third party gaining access.
Yeah not real happy with the situation, have electricity gas and internet accounts with them….
The customer had also received an error message when visiting AGL’s website “our servers are down” for 3-4 days, another indication all was not well.
On the surface, this could be an individual customer with an issue, so I called AGL’s Media division to enquire further. I received verbal confirmation that there has indeed been a cyber incident that has impacted multiple customers and while they haven’t provided an exact number yet, I can confirm it does impact thousands of customers.
I was informed by the AGL representative that impacted customers had been notified, however, the customer I spoke with, confirmed they have received no such notification, outside the phone call they initiated.
It was also suggested by AGL that these accounts had been compromised due to customers re-using passwords exposed in previous data breaches.
Unfortunately, that doesn’t seem to align with the details provided by the customer. They checked the publicly disclosed data breaches at https://haveibeenpwned.com/ and the only reference was to an old Tumblr breach.
The customer joined AGL in July of this year and had a different password. It is possible that there’s an undisclosed data breach, but this certainly doesn’t explain the reason for the AGL account compromise as they suggested. I would look to AGL to provide more information on how the account compromises happened at scale and what information was accessed.
AGL has a dedicated page on their website titled ‘Scams, hoaxes and online safety‘ where they say they are ‘We’re serious about security and privacy‘. While that may be the case, they haven’t publicly disclosed this incident which is the industry standard and much better to do, sooner rather than later, so impacted customers can take action.
If you’re an impacted AGL customer, please let us know in the comments below. Did you get notified?
AGL’s Statement
Below is a statement from AGL on the Cyber Incident.
AGL takes customer privacy and protecting customer data very seriously. AGL is aware of elevated levels of suspicious activity on its MyAccount platform. Based on current analysis it appears malicious actors have used stolen credentials acquired externally (such as usernames and passwords used elsewhere by customers) to log into a number of customer accounts.
All AGL customers using MyAccount have been notified of the activity and provided with advice on the importance of using strong passwords, not reusing passwords and the availability of multi-factor authentication.
In the current environment, where customer data is more available due to recent large data breaches, cyber activity of this nature is increasingly prevalent.
I would like to emphasise that there was no data exfiltration through system compromise, as was the case with recent high profile cyber breaches.
We have communicated to potentially affected customers regarding the suspicious activity and to alert them to unusual activity on their account, and they will be required to reset their password the next time they login.
We would remind all AGL customers of the importance of using strong passwords, not reusing passwords and the availability of multi-factor authentication.
We have informed the relevant regulatory bodies, the Office of Australian Information Control and the Australian Cyber Security Association.”
AGL Spokesperson
Enable MFA to help secure your account
If you’re not already enabling Multi-factor Authentication on web services that support it, you need to start, and now. MFA helps to secure your account against attackers by leveraging something you know (username/password) and something you have (code from MFA authentication app).
This means that if your credentials are learned, the attacker won’t be able to access your account. If you do have MFA setup, it is important to only ever approve auth requests when you initiate them (ie. log into your account). If you ever see one you didn’t initiate, it’s likely an indicator your credentials have been learned and you should reset your password immediately.
I had exactly the same thing. Got a letter on the 11th of Nov and was assured it was under investigation- plus they were being cautious in light of other cybersecurity incidents. Soooooo pissed off
Not able to operate AGL account. No notification received either
I have been trying to check my account. Unable to get in even with verification code. Spoke to an operator who informed me that there is suspicious activity on my account. WTF?!? Why wasn’t I informed? This article is the first I have heard of this. Extremely pissed off that they are risking all of their customers privacy.
Same situation as others, couldn’t login for 5 days now, rang AGL and was told server was down.
Had no correspondence from AGL at all.
AGL said said will be down for another few days.
I am affected by this though I’ve not received any correspondence from AGL. I had to call them to find out why I was unable to login to my account.
I can guarantee it wasn’t a re-used password as I have completely unique passwords for every single site.
I wasn’t notified, I rang on Monday when I attempted to login to pay a bill and was shot to an error page (the app did the same thing). I was told during that call that the accounts page was down because they were doing proactive security maintenance and not to worry, I asked if they were hacked/breached and again the manager told me it was simply them being pro-active. I just rang again just now and they’ve told me that they locked a whole bunch of user accounts as they discovered a breach relating to fraud.
No ETA on when I can get access to my account.
Yep. Got a rude phone call yesterday claiming to be agl collections. I wouldn’t give my info to them so they threatened me with debt collectors. Rang agl and they had no idea, plus I couldn’t access my account at all.
They did not contact us. I’d say the majority have contacted them asking why the accounts were locked. Full of lies.
Previous AGL Employee in technology, this isn’t a surprise previous security leadership left a lot to be desired. Also a customer no contact to any of my accounts with them.
Even when i rang them yesterday 2nd time this week asking why am i locked out they denied there was an issue I challenged them on their poor customer relations and have to read about it online as to why my account is locked