Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Exclusive: Australian energy and internet provider Sumo confirms customer data breach

Customer credit scores, passports, driver’s licences and more were accessed by an “unknown person” via a third-party hack.

user icon David Hollingworth
Wed, 15 May 2024
Exclusive: Australian energy and internet provider Sumo confirms customer data breach
expand image

Sumo Energy has confirmed that it suffered an extensive data breach this week, with a large volume of customer information and documents shared on a popular clear web hacking forum.

The data had been posted last week, including PDFs of customer gas and electricity invoices in two sample lots.

The poster – who goes by the forum name “OriginalCrazyOldFart” – also linked to a site hosting details of a vast number of accessible Amazon web buckets, where the bulk of the data was stored.

============
============

According to Sumo, the issue is with a “third-party file storage application”.

“Sumo Energy confirms an incident in which customer information was accessed by an unknown person via a third-party file storage application used by Sumo. None of Sumo’s systems were accessed or affected,” a Sumo spokesperson told Cyber Daily.

“After being informed of the incident late on Monday, Sumo has acted rapidly to investigate and secure the third-party application.

“We deeply apologise to all customers affected by this. We are in the process of writing to all affected customers to inform them and explain the support we will provide.”

Sumo said that the following customer information was compromised by the breach: names, addresses, dates of birth, phone numbers, credit scores, as well as either passport, Medicare, or driver’s licence details.

Sumo has also confirmed that both former and current customers have been impacted by the breach but has noted that it does not keep copies of any identification documents.

Sumo’s daily operations have not been affected, and it has engaged identity protection firm IDCARE to support its customers and is offering “a complimentary Equifax credit and personal information monitoring subscription”.

“The company is notifying the relevant authorities of this incident and will continue to update them on any developments in our investigation,” Sumo said.

The data was posted to BreachForums on Saturday, 11 May, and Cyber Daily was alerted to the possible breach on Tuesday, 14 May, when we sought comment from Sumo on the breach.

The sample data includes a nearly one-gigabyte .zip archive of customer electricity invoices, while a second archive contains just shy of 160 megabytes of gas invoices. The data hosted on the external site includes files named “Legal - Sumo/Kel.zip”, “Legal - Sumo/ESC response”, and “Marc/ProPlus2019Retail.img”, as well as numerous smaller files, according to the poster.

“From Australia, something you ‘might’ have an interest in,” the poster said on Saturday, “if not, go to the next page. It’s FREE as usual to you & only good for 21 days, after that, ask someone who got a copy. Lol!”

The data appears to come from an unsecured Amazon S3 bucket called sumo-public-share.s3.amazonaws.com.

Sumo has not confirmed which of its third-party storage providers was compromised or the number of customers affected. According to an August 2023 report from Australia’s energy regulator, Sumo has over 31,000 electricity customers and about 8,300 retail gas customers.

Sumo has begun notifying its customers of the breach, in a letter with much the same wording as the statement provided to Cyber Daily. In it the company confirms that it has told the Office of the Australian Information Commissioner.

"We will continue to investigate whether the information is held by other parties," the letter said.

It also warned customers to be aware of any fraudulent bank account activity.

"We also urge you to be vigilant about any signs of identity theft. You may want to confirm with your bank, and other relevant parties, that they have adequate and robust fraud prevention measures in place, and that there has been no unusual or suspicious activity concerning your accounts," Sumo said.


UDPATE 15/05/24: Added details of customer letters

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.