Cyber security

Cyber security incident

CS Energy is responding to a cyber security incident that occurred on our ICT network on Saturday 27 November 2021.

The incident occurred on CS Energy’s corporate network and has not impacted safety or operations at our power stations. We continue to generate and dispatch electricity into the National Electricity Market.

We immediately notified relevant state and federal agencies, and are working closely with them and other cyber security experts. We are also in regular contact with our employees and customers.

Privacy and personal data

As part of our investigations, we can confirm that historical personal data of some CS Energy employees was accessed during the ransomware incident on 27 November.

The investigation is still at an early stage, but it appears that some HR data on our corporate network from before August 2010 has been accessed.

We take this issue very seriously. Our priority is the safety and security of current and former employees affected by this incident.

CS Energy has informed our current employees about the type of data that we believe has been accessed and the steps they can take to protect their information online.

While we investigate the specific details and identify those former employees who might be impacted, we encourage any former employees or job applicants prior to August 2010 to contact us if they have concerns. 

Accessing support

If you are concerned about the potential misuse of your personal information, we have arranged free support for current and former CS Energy employees from IDCARE, Australia’s national identity and cybersecurity community support service. Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form at www.idcare.org/contact/get-help using the referral code CSN22.

IDCARE’s National Case Management Centre can also be called between 8am and 5pm Monday to Friday AEST (excluding public holidays) on 1800 595 160.

FAQS

What type of personal data has been accessed?

At this stage it appears that the type of information that might have been accessed for employees and job applicants prior to August 2010 includes:

  • Full name
  • Date of birth
  • Tax file numbers
  • Home address
  • Bank account details
  • Remuneration
  • Onboarding reference checks
  • Onboarding health checks
  • Superannuation account details

I’m concerned about my personal data – what should I do?

We advise following prudent cyber security measures. These include:

  • Changing passwords for internet banking, social media accounts (such as LinkedIn), and personal email. Wherever possible, you should activate two-factor authentication to banking, email, and other personal online accounts. If you are concerned your current bank account details might have been accessed, contact your financial institution regarding monitoring for unauthorised transactions.
  • If you are concerned your tax file number may have been accessed, contact the Australian Tax Office (ATO) regarding monitoring for unusual activity.
  • Be hyper-vigilant and alert to emails, phone calls and text messages:
    • Do not click on links in emails where you cannot verify the sender. Always check the address in the "from" line of any emails, even if the name looks legitimate.
    • Do not provide any personal, password or account information if you receive phone calls of messages from banks, utility companies, retail outlets or other organisations. Make your own enquiries first to verify the identify and legitimacy of the caller.
    • Use different passwords for your personal use and on corporate systems. Passwords should be complex (that is, more than 13 characters and include punctuation marks, capital letters and numbers)
    • The Australian Cyber Security Centre has additional useful resources for personal cyber security here: https://www.cyber.gov.au/acsc/view-all-content/advice/personal-security-guides
    • The Office of the Information Commissioner has further useful information about identify fraud here: https://www.oaic.gov.au/privacy/data-breaches/identity-fraud

Has this personal information been published on the internet?

At this stage there is no indication the information has been published. We will update you if this changes.

What action has CS Energy taken?

CS Energy is working with a team of internal and external legal and cyber security experts. Our priority is to support employees, securely restore our systems and data, and investigate what personal data has been accessed.

The investigation is ongoing and may take some time, but we wanted to be open and transparent in line with our values. This information is the preliminary results of our investigation. We will continue to provide updates as appropriate.

Who should I contact if I have further questions?

For general enquiries, please email humanresources@csenergy.com.au.

If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service.

Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form at www.idcare.org/contact/get-help using the referral code CSN22.

IDCARE’s National Case Management Centre can also be called between 8am and 5pm Monday to Friday AEST (excluding public holidays) on 1800 595 160.

Alternatively you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information: www.idcare.org/learning-centre.

Information for customers

We want to reassure our customers that there continues to be no impact to your retail electricity supply as a result of the recent cyber security incident on our ICT network. We have provided email updates to customers and will continue to keep you updated.

If you have any questions, please contact us via the following phone numbers:

  • 1800 950 595 - for all billing enquiries
  • 0438 237 587 - for all account management enquiries.

media releases