Source: Privacy Commissioner
What happened:
OPC has received multiple notifications of privacy breaches from utilities providers (power/gas/broadband) where customers’ personal information was accessed or misused by unauthorised individuals such as fraudsters or impersonators.
In these cases, unauthorised individuals were able to:
- open new accounts or add new services in someone else’s name
- accrue debt in the customer’s name, which was then passed on to debt collection agencies, impacting credit scores, and
- edit contact details to divert correspondence.
The breaches often went undetected for extended periods of time, only coming to light once the affected individual experiences harm – such as credit damage or financial loss, service disruption, or reputational impact.
How it happened
In these cases, identity verification processes used by the utility providers were not sufficient to prevent unauthorised access to customers’ accounts.
Identity verification is the process of making sure someone is who they say they are. Common identity verification steps include sighting a person’s driver’s licence or passport or asking security questions.
In some cases, the only pieces of personal information (data points) required to access an account were the customer’s full name and date of birth. In one example, these checks were insufficient as the fraudster had access to the customer’s driver licence.
Relying on a small number of basic pieces of personal information to verify identity poses a high privacy risk – particularly when that information may be readily available through social media, public records, or previous data breaches.
While an agency needs to have enough information to correctly identify an individual, it’s important to balance this information with their obligations to only collect information that is necessary to fulfil its purpose (providing utility services).
The Privacy Act and other guidance
Information Privacy Principle 5 (IPP5) requires that agencies have safeguards, which are reasonable in the circumstances to prevent unauthorised use, access, loss, or disclosure of personal information.
Unauthorised or accidental access to a customer’s account or other personal information may also be a notifiable privacy breach under section 112 of the Privacy Act. Agencies must assess all such instances to determine if they need to notify the Commissioner or affected people and take appropriate steps to contain the breach.
Each of the breaches referenced in this decision note were assessed as notifiable on the basis serious harm had already occurred for the customers affected.
How can utility providers do better?
Whether it be over the phone, or through an online platform, weak identity verification processes can result in real harm to individuals, including financial loss, reputational damage, or ongoing privacy risk.
Some utility providers we have heard from have improved their identity verification processes by:
- increasing number and type of personal information pieces used to verify identity,
- requiring the use of passwords, or
- use of Identity Verification as a Service (IDVaaS).
What is considered a “reasonable safeguard” under IPP5 is context dependent. Agencies must assess the nature of the personal information held and the risk of harm if that information is misused. Details from utilities providers may be used as a ‘stepping stone’ to other fraud – identity verification processes are only as strong as the weakest link in the chain.
While OPC does not mandate any specific approach, providers must implement identity verification processes which mitigate the risk of fraudsters easily gaining access to their customers’ accounts.
