Business Intelligence

Reportable privacy incidents

During FY25, AGL identified and reported two Notifiable Data Breaches to the Office of the Australian Information Commissioner, compared with five in FY24. The decrease in Notifiable Data Breaches can be partly attributed to AGL's ongoing focus on continued enhancement to our privacy and data management processes and controls, which has included broad training and awareness campaigns and the implementation of enhanced data loss prevention capabilities. As was the case in FY24, AGL continues to invest in tools, controls and management practices designed to reduce the likelihood of further breaches, and to detect and remediate any breaches that occur in the future.

Incident title	Details
My Account credential stuffing	On 30 December 2024, AGL identified a number of suspicious log in attempts to AGL customer accounts through the My Account platform, which in some cases resulted in changes made to the email address and/or password linked to those customer accounts, and/or product changes. Due to the nature of the log in attempts and based on further investigation, it is believed that a malicious third party gained access to customer login credentials via an unrelated non-AGL incident. Where the third party has gained access to a customer’s My Account, they had the ability to view various types of personal information including but not limited to the customers name, address, and current and past bills. On 29 January 2025, the incident was reported to the Office of the Australian Information Commissioner (OAIC) as a notifiable data breach.
Unauthorised disclosure of customer data	On 24 December 2024, an existing customer contacted AGL requesting electricity supply to a new address. When adding the new supply address, AGL inadvertently retained an authorised contact from the initial electricity supply address on the customer’s new address details. In subsequent discussions with the customer, the customer indicated that they had been the subject of abuse when in a relationship with the authorised contact. AGL took immediate actions to remediate, including removal of the authorised contact, and flagging the customer for Family Domestic Violence account protections. On 7 February the matter was reported to the Office of the Australian Information Commissioner (OAIC) as a notifiable data breach.

Incident title

Details

My Account credential stuffing

On 30 December 2024, AGL identified a number of suspicious log in attempts to AGL customer accounts through the My Account platform, which in some cases resulted in changes made to the email address and/or password linked to those customer accounts, and/or product changes. Due to the nature of the log in attempts and based on further investigation, it is believed that a malicious third party gained access to customer login credentials via an unrelated non-AGL incident. Where the third party has gained access to a customer’s My Account, they had the ability to view various types of personal information including but not limited to the customers name, address, and current and past bills.

On 29 January 2025, the incident was reported to the Office of the Australian Information Commissioner (OAIC) as a notifiable data breach.

Unauthorised disclosure of customer data

On 24 December 2024, an existing customer contacted AGL requesting electricity supply to a new address. When adding the new supply address, AGL inadvertently retained an authorised contact from the initial electricity supply address on the customer’s new address details. In subsequent discussions with the customer, the customer indicated that they had been the subject of abuse when in a relationship with the authorised contact. AGL took immediate actions to remediate, including removal of the authorised contact, and flagging the customer for Family Domestic Violence account protections.

On 7 February the matter was reported to the Office of the Australian Information Commissioner (OAIC) as a notifiable data breach.

Notes

Data comprises ‘eligible data breaches’ as defined in the Privacy Act 1988. An eligible data breach arises when there is unauthorised access, disclosure, or loss of personal information and AGL has not been able to prevent the likely risk of serious harm with remedial action.