Is Origin Smart sleepwalking into a shocking personal data breach?

Early last week, Origin Energy, Australia’s pre-eminent energy retailer, launched an online energy-use monitoring portal Origin Smart to much fanfare. All good – but what about the privacy and security of the data being collected and made available?

Origin Smart has all the characteristics of an information store that will be a target for hackers.

Knowledge is power and information about customers’ electricity usage is a saleable commodity. Information about electricity usage for business, government, defence and national infrastructure is of value to hackers and terrorists. (Origin Energy hasn’t made it clear whether Origin Smart will be available only to residential customers.)

Victorian customers can access the portal from any internet-connected computer. The portal does not utilise two-step authentication – that is, a second layer of security (such as being sent a password by text message) that makes a security breach less likely.

By contrast, most Australian banks and many online services, including Google and Dropbox, do use two-step authentication.

Failure to utilise these additional security measures is a potential flaw that makes Origin Smart more of a target than it needs to be.

At the most basic level, Origin Smart is collecting critical information about customers putting it all into internet-connected systems and making it available to customers from any internet-connected computer around the world.

More concerning is the fact the Origin Smart: Initial Privacy Consent provides a list of organisations that customers agree, when signing up to the service, to allow access to their data.

That list includes:

… relevant contractors which may include installers, mail houses, data processing analysts, IT service providers and smart energy technology providers, debt collection agencies and credit reporting agencies, relevant Government authorities…

Why would I want to share my half-hourly electricity usage data with a debt collector? Or a credit reporting agency for that matter?

Is Origin Smart being set up as a dual-purpose portal that will allow a range of companies to log in and access the complete energy usage history of one or more customers? No-one as yet is saying so, but it would be reassuring to have such issues clarified.

The Origin Smart Terms and Conditions indicate customer information will be sent to a “third-party smart energy technology provider” located in Colorado, USA.

The Australian government should be very concerned that potentially most (Origin Energy currently has 4.4m customers nationwide) of Australia’s residential, business and corporate energy usage is being sent to the USA – a country that does not have strict privacy and security rules.

Are we in danger of inadvertently paving the way for the largest personal data breach in Australian history? And all without having been attacked by Anonymous, by cyber-terrorists or a potential enemy nation carrying out an act of cyber-warfare.

Origin Energy has stated it will send customer data to a company in a country that does not require that company to keep the data secure and permits the company to on-sell the data to whomever they please. I’m gobsmacked.

Mark Gregory,  Senior Lecturer in Electrical and Computer Engineering at RMIT University

Full article available at: https://theconversation.edu.au/is-origin-smart-sleepwalking-into-a-shocking-personal-data-breach-9236

This entry was posted in Smart Meter and tagged , , . Bookmark the permalink.

11 Responses to Is Origin Smart sleepwalking into a shocking personal data breach?

  1. Mustak says:

    I’m still trying to get my stinking meter interval data, the dummies can’t get that right. They tried to get me to sign up to Origin Smart – the dodos couldn’t tell me if that tinker toy app had the interval data, gee whiz. I go to sign up, yep there it was, date of birth, go to hell I thought. Next blocker was the the mandatory field – mobile phone! For the love of cream cheese, what is wrong with these big, lazy corporations? They know they have might on their side and the poor little grubby government follows like sheep. Tsk tsk.

  2. Archie says:

    GOOD FOLK;please don,t forget that one J.Kennett,Liberal party Premier,IS THE PERSON WHO PRIVATISED OUR POWER & WATER to the highest bidder! You / we should take Ted Bailleau current Premier & Liberal Head Honcho,to court to get back our privacy rights;SOLD OFF by J.KENNETT!

    • Informed Choice says:

      Ted Baillieu is described as a ‘Hitler’ by the uni students protesting in Ballarat and they are correct! He keeps NONE of his election promises, and keeps blaming the previous government. Get real Baillieu!! STOP PASSING THE BUCK AND THAT GOES FOR DPI, ESV, ARPANSA, ETC, ALL TOTALLY USELESS DEPARTMENTS!!!

  3. Con says:

    DONT WORRY THE DPI IS ALL OVER IT WITH THIS “GENERIC RESPONSE”
    I cant believe WE pay these people their wage!!!!

    Smart Meter Privacy, Opt Out and Metrology Procedures

    Thank you for your enquiry to our Customer Service Centre regarding the smart meter program. I apologise for the delay in responding.

    I appreciate your concerns about the perceived privacy impacts of smart meters.

    The Victorian Government has completed its review of the smart meter program. Based on this review the option that will deliver the most benefit is to continue with an improved roll out, with a greater focus on the needs of consumers.

    Privacy
    As part of the program review the Government commissioned an assessment of the application of privacy regulations for smart metering infrastructure. The assessment found that privacy controls are relatively strong in the smart meter program, with metering data suitably protected.

    A copy of the privacy impact assessment is available on the Department of Primary Industries website at http://www.dpi.vic.gov.au/smartmeters.

    I am advised that Victoria’s electricity distributors have developed their systems to ensure that smart meters and associated communication networks are equipped with security features to prevent unauthorised access. Access to data is restricted, and compliance with the Privacy Act and National Privacy Principles, including security processes and staff security checks, are mandatory.

    In light of the extra data smart meters will generate and as new applications become available, the assessment made recommendations about ensuring future compliance with the privacy regime. The Essential Services Commission has been asked to review the recommendations of the assessment. The Commission released its draft report on 18 May 2012 for public consultation and a copy can be found at http://www.esc.vic.gov.au

    I understand you may be concerned that the flashing light on the smart meter can pose a privacy risk as it indicates the rate at which power is being consumed by a household or business. However, in some respects this visual indicator is no different from the spinning disc found on old-style meters. Similar to the flashing light on the smart meter, the disc on the old accumulation meter spun according to the rate at which power was consumed by a household. Furthermore, the light on the smart meter will not be visible if the smart meter is in a closed meter box or, alternatively, it can be easily obscured if a customer is concerned it poses a privacy risk.

    Opt Out
    In relation to opting out of smart meter installation, now that the Government has completed its review and decided that the roll out will continue all Victorian homes and small business will need to have their meter replaced. The review found that at this advanced stage allowing customers to opt out of having a smart meter installed would lead to higher costs for all consumers. This is because the related costs and complexities of running dual metering systems which would ultimately be passed on to consumers.

    Further, I am advised that the current metering equipment is the property of the distribution business. As such, the business is entitled to replace its own equipment and there is an obligation on a property owner to provide reasonable access to their property for this to occur.

    Replacement of a smart meter
    In relation to your request to remove installed smart meters, it is important to note that now the Government has completed its review and decided that the roll out will continue, all Victorian homes and small business will need to have their meter replaced by the end of 2013.

    Just as with the move to digital TV, where all customers have been required to change over to the new system, the same is necessary with the new electricity metering system.

    Furthermore, under the National Electricity Rules, together with the Metrology Procedures applicable to Victoria, once a device capable of producing interval energy data has been installed, electricity distribution businesses are not permitted to replace it with a device that can only produce accumulated energy data.

    More information on the smart meter program, including a privacy fact sheet, is available online at http://www.dpi.vic.gov.au/smartmetersor by calling the Department of Primary Industries on 136 186.

    I trust this information is of assistance.

    If you require clarification or have a further enquiry, please do not hesitate to contact the Customer Service Centre on 136 186 between 8am – 6pm weekdays or email : customer.service@dse.vic.gov.au

    • Linda says:

      Con
      Could you please post the date that the response was sent to you? I would be interested to know if others have received all or part of this generic response recently. This is NOT an open and shut case as the DPI insists so let’s keep researching and challenging their statements. Read the terms and conditions of Origin Smart, link in original article above and you will be horrified.

      • Con says:

        Hi Linda, i am not sure if you got my sarcasm comments at the start!!!!
        I DONT trust the DPI and in my oppinion they are treating this major issue as a joke!! Not only did i get a reply over a month later, they send me a GENERIC response. They have sent a response to cover a bit of everything and not answer specific questions, they sent me information on things I didn’t even ask for, so im assuming everyone will be getting the same GENERIC reply.
        People will argue that they cant reply to everyone individually, but my argument is that that’s their job, they cannot copy a GENERIC letter and send it out to everyone and expect to get paid with our tax money. It is totally unacceptable!!!!
        They are public servants, and its about time the puplic service starts acting for the puplic.

  4. Ms Rebel says:

    It is just typical of the lengths these companies will go to in order to snoop on their customers and reap more money for themselves in the process. I would advise people that this is yet another SCAM, leaving them wide open to identity theft or worse. Trust none of these Energy Retailers!

  5. fabian says:

    I dont like what origin is doing by collecting personal eletrcity data from their customers and then send it right around the world.I think it is a breach of privacy and the so called ACCC morons should step in and stop this.I think this a bloody digrace.

  6. Beatrix Vant says:

    The Plot is thickening! I am considering to move back overseas…. :(((
    “Chased out of Australia by negligent electricity companies…”

  7. Rob Guy says:

    Apparently, any security system can be compromised, but I could keep money transactions apart from the internet by installing my own hardware power meter in series with the smart meter. This option depends on my retailer publishing pricing variations in real time. Combining this information with that from my own meter should confirm the retailer’s paper bill which I then meet with a cheque sent by ordinary mail.
    For privacy, I do like the German inventor’s machine which takes and later returns almost the same energy to the grid. To emulate typical household load patterns, I would add a random number generator, seeded with a Mersenne prime, .

  8. Pam says:

    THIS IS SCARY
    Mark. Do you have any influence to STOP THIS INVASION OF ONES’S PRIVACY. Fortunately I am not with Origin Energy for my Electricity, but I am with them for my Gas. I am at a loss at the moment, after reading your Article. WHY CAN’T SOMETHING BE DONE ABOUT THIS DATA BREACH??????????? BEFORE IT IS TOO LATE!!!!!!!!!!! Surley with all the other big problems the Government has at the moment this has to be dealt with ASAP!!!!!!!! I for one do not want my PRIVATE INFORMATION being sold off to USA or anywhere else for that matter. I too, am “GOBSMACKED”.
    Interested to see other’s thoughts………………Pam

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s