Early last week, Origin Energy, Australia’s pre-eminent energy retailer, launched an online energy-use monitoring portal Origin Smart to much fanfare. All good – but what about the privacy and security of the data being collected and made available?
Origin Smart has all the characteristics of an information store that will be a target for hackers.
Knowledge is power and information about customers’ electricity usage is a saleable commodity. Information about electricity usage for business, government, defence and national infrastructure is of value to hackers and terrorists. (Origin Energy hasn’t made it clear whether Origin Smart will be available only to residential customers.)
Victorian customers can access the portal from any internet-connected computer. The portal does not utilise two-step authentication – that is, a second layer of security (such as being sent a password by text message) that makes a security breach less likely.
By contrast, most Australian banks and many online services, including Google and Dropbox, do use two-step authentication.
Failure to utilise these additional security measures is a potential flaw that makes Origin Smart more of a target than it needs to be.
At the most basic level, Origin Smart is collecting critical information about customers putting it all into internet-connected systems and making it available to customers from any internet-connected computer around the world.
More concerning is the fact the Origin Smart: Initial Privacy Consent provides a list of organisations that customers agree, when signing up to the service, to allow access to their data.
That list includes:
… relevant contractors which may include installers, mail houses, data processing analysts, IT service providers and smart energy technology providers, debt collection agencies and credit reporting agencies, relevant Government authorities…
Why would I want to share my half-hourly electricity usage data with a debt collector? Or a credit reporting agency for that matter?
Is Origin Smart being set up as a dual-purpose portal that will allow a range of companies to log in and access the complete energy usage history of one or more customers? No-one as yet is saying so, but it would be reassuring to have such issues clarified.
The Origin Smart Terms and Conditions indicate customer information will be sent to a “third-party smart energy technology provider” located in Colorado, USA.
The Australian government should be very concerned that potentially most (Origin Energy currently has 4.4m customers nationwide) of Australia’s residential, business and corporate energy usage is being sent to the USA – a country that does not have strict privacy and security rules.
Are we in danger of inadvertently paving the way for the largest personal data breach in Australian history? And all without having been attacked by Anonymous, by cyber-terrorists or a potential enemy nation carrying out an act of cyber-warfare.
Origin Energy has stated it will send customer data to a company in a country that does not require that company to keep the data secure and permits the company to on-sell the data to whomever they please. I’m gobsmacked.
Mark Gregory, Senior Lecturer in Electrical and Computer Engineering at RMIT University
Full article available at: https://theconversation.edu.au/is-origin-smart-sleepwalking-into-a-shocking-personal-data-breach-9236