Western Australia’s largest energy generator and retailer, Synergy, appears to have been hacked and the personal details of around 900,000 customers exposed.
Cybersecurity company VECert said on X that the data includes full names, dates of birth, phone numbers, email addresses, physical addresses, account IDs, payment balances, and billing data (account balances, payment status, and BPAY references).
Customers’ National Metering Identifiers (NMI)—a unique 10-to-11-character code for an electricity connection used to identify a specific supply address—have also been breached, the company claims.
The information has been listed for sale by the threat actor, who goes by the alias “hackboy,” on a dark web forum.
VECert said the breach puts Synergy’s customers at “critical risk” of financial fraud and identity theft through “vishing”—where a thief uses personal data to impersonate an organisation via voice message or phone call to trick the victim into revealing sensitive information, such as login credentials or bank details.
It could also enable “targeted attacks on payment infrastructure in Australia.”
Three days earlier, the same hacker offered over 10 million records from KBank Vietnam.
Another cybersecurity analyst firm, Brinztech, also emphasises the serious nature of the threat, calling it a “Tier 1” event as it “weaponises technical and institutional trust,” saying scammer armed with real debt amounts and NMIs, could pose as Synergy collections staff, tricking customers into surrendering banking one-time passwords (a key component of two-factor authentication) or paying a non-existent “outstanding bill” via a fraudulent BPAY link.
The personal data could also be used to access other systems, Brinztech says.
“The exposure of names paired with DOBs and physical addresses is a catastrophic failure. In Australia, these are primary keys for identity verification in banking and myGov applications. Attackers use these ‘anchor identifiers’ to attempt unauthorised account recoveries or open fraudulent credit lines in the victim’s name.”
People’s habit of reusing passwords across multiple sites means anyone who purchased the stolen information may be able to use it to access Synergy customers’ primary email accounts, private banking, or even employers’ systems.
Synergy customers are advised to implement secondary verification (two-factor authentication) if they haven’t already and, if they receive a call claiming to be from the energy company, to call them back on their official numbers (13 13 53 for residential customers and 13 13 54 for businesses) before giving out any personal information.
There are also online contact options on the company’s official website at synergy.net.au.
A spokesperson for Synergy told the Epoch Times that it is “investigating a claim by an external party regarding a potential cybersecurity incident,” but that “based on information available at this time, there is no evidence of data loss or compromise.
“Synergy’s priority is the security of its customers’ data, and it is taking all necessary precautionary measures as appropriate, including working with the Office of the Digital Government and cybersecurity experts to thoroughly investigate the claims.”
Friends Read Free
Copy
Facebook
Tweet
