Alinta Energy alleged non compliance with privacy regulations highlights what is all too common with poor regulation

March 2, 2020 |

Today the 7.30 program and the 9 Fairfax press report on possible non compliance with data storage conditions imposed on Alinta when it was sold to overseas, Chinese, purchasers. The source of the story is damaging internal documents questioning compliance. 

The essence of the story, that Alinta is not complying with its obligations under the Privacy Act regarding data security obligations, is not as exciting as the media outlets suggest.  It collects personal information of 1.1 million customers.  As do many large corporations and agencies.  It may not be properly protecting that data.

Inadequate data security is a problem endemic throughout the business sector.  Because regulation is light touch to the point of no contact compliance is patchy at best.  Some sectors are better than others, with banking, insurance and mining having reasonable structures and better compliance than other sectors because they are more often the targets of hackers and the consequences of a breach are significant.  But for many businesses cyber security is an optional extra.  

What makes the Alinta story notable is that there were strict data security conditions imposed on the purchaser, a Chinese entity, as part of the approval process. There is no culture of privacy protection in China and the Chinese government has a well deserved reputation in getting whatever benefit it can from western businesses, including the use of personal information.  Having access to over a million peoples data can be useful.

A better story would have been the ABC doing a report on how poor overall privacy protections are across the private sector and how much of our data is a click on a hyperlink away from being accessed by hackers.

The ABC article provides:

Alinta Energy may be putting the personal information of its 1.1 million gas and electricity customers at risk.

Key points:

  • The sale of Alinta Energy to Chinese company Chow Tai Fook was approved by then-treasurer Scott Morrison in 2017
  • An investigation has found Alinta Energy may not have proper systems in place to protect sensitive customer information
  • Alinta Energy may have failed to protect customers’ Medicare and passport numbers, credit card details and, in some cases, health records

Leaked documents obtained by 7.30, The Age and The Sydney Morning Herald reveal the Chinese-owned energy giant does not appear to have proper systems in place to protect sensitive customer information.

Through its retail operations Alinta collects names, addresses, birth dates, mobile numbers, Medicare and passport numbers, credit card details and, in some cases, individual health records.

A series of internal documents provided by a whistleblower show that almost three years after the then-treasurer Scott Morrison approved the sale of Alinta to Chinese company Chow Tai Fook on advice from the Foreign Investment Review Board (FIRB), the company’s compliance and privacy monitoring systems appear to be inadequate.

One document, a June 2019 privacy compliance audit by its internal auditor EY, said access to personal information “was not adequately monitored or controlled” and Alinta may not be adequately protecting personal information, resulting in potential unauthorised access.

Chow Tai Fook was given approval to buy Alinta for $4 billion in April 2017 on the proviso it would satisfy a series of conditions that were not made public.

Leaked documents include a list of more than 10 secret FIRB conditions which largely relate to data security. Conditions include that all data must be stored within Australia and can only be accessed within Australia.

“There clearly wasn’t much pre-vetting or due diligence done in the sale of Alinta, otherwise how could they [the government] allow a company with such a reckless approach to privacy and data to be sold to an overseas company?” the whistleblower said.

In a statement, a spokesperson for Alinta Energy said the company took “compliance with privacy laws seriously” and customer data was stored in “secure data centres in Australia”.

The spokesperson said the independent audit in 2019 highlighted “the need for a privacy management framework, privacy officer, encryption standards and data strategy … and have been progressed”.

They said Alinta Energy had “one reportable data breach incident” in January this year concerning a single individual and it had met its compliance obligations addressing the issue.

“On an annual basis Alinta Energy engages a third-party auditor to evaluate our security and identify any areas of risk. Any significant risks which are identified are tracked through to conclusion,” the spokesperson said.

When asked if it was complying with FIRB conditions, the spokesperson said “Alinta is treated as being in compliance with the conditions imposed by FIRB while it continues to implement remedial activities endorsed by FIRB”.

A spokeswoman for Treasury said: “We can confirm that Alinta Energy is engaging constructively with the Foreign Investment Review Board to implement remedial activities endorsed by FIRB. Remedial activities will be completed by December 2020.

“Whilst FIRB is engaging with Alinta it would not be appropriate to comment further.”

Under the new owners, Alinta has been aggressively signing up more than 2,000 new customers a day. It has also seen customer complaints rise, with some customers complaining of heavy-handed tactics, including threats of bankruptcy.

The White family, a second-generation dairy farming family in Victoria, received a bankruptcy notice in late November 2019 after missing a $2,000 payment on an electricity bill.

“There was no letter saying, you know, your account will be disconnected. It went from nothing to bankruptcy right before Christmas,” Carolyn White said.

The family sold assets to repay the outstanding debt but in mid-January, as it was fighting bushfires, Alinta wanted it to pay its legal bills.

On January 31 the Federal Circuit Court ordered the petition be dismissed and ordered Alinta to pay the Whites’ costs of $6,824.80.

A spokesperson for Alinta Energy told 7.30 they could not comment on the specifics of a customer’s case for privacy reasons, but said “bankruptcy notices are used only as a last resort”.

“In the last four years, Alinta Energy has issued 13 bankruptcy notices and note that only one of these has resulted in a bankruptcy.”

The Age report provides:

Privacy and energy regulators will investigate energy giant Alinta after reports data storage conditions imposed on its sale to a Chinese company almost three years ago were not being enforced.

The Office of the Australian Information Commissioner, which regulates the Australian Privacy Act, said it would decide whether further action was required once it finished its inquiry, which was prompted by revelations on Monday in The Age, The Sydney Morning Herald and ABC’s 7.30.

Energy regulator, the Essential Services Commission, also confirmed it wanted answers after this masthead exposed gaping holes in the way Alinta protects the personal information of its 1.1 million customers.

Through its retail operations, Alinta collects names, addresses, birth dates, mobile numbers, Medicare and passport numbers, credit card details and in some cases individual health information.

A series of Alinta documents leaked by a whistleblower show that almost three years after then-treasurer Scott Morrison approved the company’s sale to Chinese-owned Chow Tai Fook on advice from the Foreign Investment Review Board (FIRB), the company’s privacy systems remain inadequate.

One internal document said Alinta may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws”.

The $4 billion sale of Alinta was on the proviso it would satisfy certain secret FIRB conditions. The leaked material includes a list of more than 10 secret FIRB conditions, which largely relate to data security.

A spokesman for the energy commission said Alinta had been the subject of the commission’s enforcement action. In 2018, Alinta Energy paid a $300,000 fine for allegedly transferring customers from other energy providers without their consent.

The commission will also commence its audit of Alinta Energy this month, a spokesman for the Information Commissioner said.

The government came under attack in parliament on Monday over when it became aware the privacy conditions of the energy giant weren’t being enforced.

“When did the Prime Minister first become aware the foreign investment conditions he imposed on Alinta Energy as treasurer, which were meant to protect the privacy of over 1 million Australians, were not being enforced,” Shadow Treasurer Jim Chalmers asked during question time.

Treasurer Josh Frydenberg responded on behalf of Prime Minister Scott Morrison, saying it wasn’t treasury’s practice to comment on specific foreign investment matters, particularly when they involved compliance issues.

The poor state of Alinta’s systems and the slowness to remediate prompted former chairman of the Australian Competition and Consumer Commission (ACCC) Allan Fels to question the decision by FIRB to allow a foreign company to take control of a critical piece of infrastructure when its systems were deficient.

“Now that we see how it [Alinta] handles data, it probably shouldn’t have been approved,” he said.

Professor Fels, who previously regulated the energy industry, said FIRB needed to be overhauled.

“FIRB isn’t independent, politically,” he said. “It’s not transparent. You don’t know the reasons or the nature of its decisions, especially conditions it sets, and it isn’t accountable or answerable to anyone,” he said.

Professor Fels was concerned that FIRB wasn’t properly enforcing the conditions it imposed.

The joint investigation also exposed the human cost with families, including dairy farmers the White family, exposed to heavy-handed tactics including bankruptcy, while other customers were subject to sheriff’s notices for late payments and other customers were signed up without their consent.

Alinta confirmed it had identified 24 cases of fraudulent behaviour by a third party sales channel including submitting sales without obtaining customer consent. It had reported them to the relevant authorities and no longer had a relationship with any of the companies involved.

An Alinta spokesman said eight cases of fraud were reported to the Australian Energy Regulator and Essential Services Commission in March 2019.Alinta signs up customers using different sales channels including third parties. It said these agents were paid per sale. Alinta staff were paid a salary with a commission component.

 

 

 

Leave a Reply





Verified by MonsterInsights