Sumo Energy Data Breach 2024

Here we go again.

We value our relationship with you and respect the privacy of your information, which is why we are writing to you about an incident that may affect your personal information.

On Monday evening, 13 May 2024, Sumo became aware of an incident where customer data was accessed by an unknown person via a third party file storage application used by Sumo. We can confirm that none of Sumo's systems were affected.

We are contacting you as we have identified that your personal information was accessed, and we deeply apologise.

Sumo has partnered with IDCARE, Australia’s national identity and cyber support community service. They have expert Case Managers who can work with you in addressing concerns in relation to personal information risks and any instances where you think your information may have been misused.

IDCARE’s services are at no cost to you. If you wish to speak with one of their expert Case Managers, please complete an online Get Help form at www.idcare.org and one of their case managers will call you back. IDCARE specialist Case Managers are available from 9am-5pm AEST Monday to Friday excluding public holidays. When engaging IDCARE please use the referral code ####

Additional information including important things to understand and steps you can take will be available on a dedicated Sumo incident web page hosted by IDCARE from 1 pm on 15 May 2024 at https://www.idcare.org/sumo-incident-response.

We have also arranged with Equifax to provide you with complimentary credit and personal information monitoring should you wish. Please register online with Equifax if you would like to take up this option. Here is their website link: https://www.equifax.com.au/assure. And here is your unique code to subscribe: ######

How are you affected?

The information accessed included certain information which was provided as part of your application to purchase energy from us at some point prior to November 2022, and included the following details about you:
Full Name
Residential Address
Date of Birth
Mobile Number
Credit Score
Drivers Licence
Sumo does not hold copies of any of your identification and therefore, no copies of your identification were subject to the incident.

What have we done and what are we doing about this?

Data protection is extremely important to us. We have investigated and assessed the incident, and are reporting it to the Office of the Australian Information Commissioner. We will continue to investigate whether the information is held by other parties.

What should you do to protect yourself?

You may want to check the following websites for tips on protecting your personal information and other relevant information:
Privacy Commissioner's tips on protecting privacy: https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-…
You can find out more about identity theft at https://www.scamwatch.gov.au/
You may also want to visit IDCare (www.idcare.org), a not-for-profit which offers personalised support to individuals who are concerned about misuse of their personal information.
We also urge you to be vigilant about any signs of identity theft. You may want to confirm with your bank, and other relevant parties, that they have adequate and robust fraud prevention measures in place, and that there has been no unusual or suspicious activity concerning your accounts.
We will, of course, assist with any queries or concerns you may have about this incident. To contact us, please email us at dataenquiry@sumo.com.au or call us on 03 9102 8400.

Once again, we apologise and you can be assured this incident is a priority for us.

Regards,

Related Stores

Sumo
Sumo

Comments

  • screams internally I am so over this. I am a customer but haven't received the email yet.

    • +1

      Maybe your info wasn't leaked?

  • +3

    Sumo does not hold copies of any of your identification and therefore, no copies of your identification were subject to the incident.

    but yet it says name, dob, license number etc was provided during an application?

    • +1

      I think it means they don't retain photographic copies of the ID

      • +2

        Correct.

        The thing is, they don't need to hold the details (numbers/etc) of the ID either.

        Let's say I have a NSW DL number 12345678, license ID is 1234567890, DOB is 01/01/1990, Expiry date on the license is 31/12/2024. Throw my name, address, etc into the mix as well if needs be (I don't think they need to be, because my name, service address, etc are stored separately anyway).

        Concatenate the data into a string that's well defined in its structure:

        1234567812345678900101199031122024JoeBlogs1RandomStreetNowheresvilleNSW2000

        Salt that value. Hash that value. Store the hash. Dispose of the original data.

        A hash can't be reversed - so nobody can take the hash and backwards engineer the data.

        But if they ever need to prove that they did confirm your ID, they supply the salt, the hash and the hashing algorithm to the govt department asking for proof of identity, who build the concatenated string, add the salt, hash it and compare the hash values. If the hash values match, the data's a match (there's a TINY chance that two pieces of data result in the same hash, not enough to worry about. Hell, hash the data two ways and do both to ensure that the data's truly unique if you're really concerned).

        Do the same with passport data, etc. Your name, address and phone number are largely in the public domain anyway (whitepages anyone?) or easily obtainable. It's the card data, license data, passport numbers, etc etc that are the truly valuable piece of the puzzle that let cyber criminals steal identities.

        Is this achievable? Absolutely. Go read what PCI-DSS, PCI-PIN, PCI-P2PE, etc. require is done by anyone who holds payment card data or who transmits/stores payment information - or I can summarise for you and state that a mix of strong encryption and hashing is used.

        It'd be very simple for govt to mandate that these details are NOT to be stored, and have significant penalties for anyone who does store them (after a grace period to change processes). I strongly suspect (or is that hope?) the recently announced central repository of ID by the federal govt will do something very similar to this - if they store all the actual data unencrypted or even encrypted using reversable encryption, then it's just a massive target for hackers. And we know how good our governments often are at using computers…

  • got a similar message from Dell

  • +1

    Firstmac (i'd never heard of them either) also got breached.
    https://www.firstmac.com.au/about-us/news-room/a-message-to-…

    • Yeah I received one from firstmac as well which is related to loans.com.au.

      May as well publish all my details right here right now.

      • The details include names, contact information, dates of birth, bank account information and driver's licence numbers.

  • +3

    Somebody stole an expired victorian licence of mine to make a fraudulent Optus account a few years back. Not sure how this was accepted by Optus but it was.
    They racked up 2k in debt, but the worst part was that led me to getting included in the Optus breach.

    Now I'm included in this. I'm absolutely sick of giving my info to anyone. There's no need for them to retain my drivers licence details after I've been a customer for over a year. For what purpose would they need that?

  • It has been 1̶ 0 days since a Data Breach.

    These hackers are stupid. They already have 8̶ 9 copies of my data.

  • +1

    I got the email as well haven't been with them since 2022 why are they holding this info accessible to third parties?
    My info was also leaked in Latitude cyber attack haven't been with them since 2010.

    • This is the other one that really annoys me.

      Not only is there no real excuse for ever storing a lot of the data these organisations store, there's even less of an excuse to hold it for as long as they do after contracts expire.

      I was in the Optus breach and hadn't been a customer since about 2010. Latitude I wasn't a customer of for years either. Thank goodness I wasn't a Medibank customer. And let's not kid ourselves - there's breaches out there right now that we're not aware of yet, and we could well have our data compromised and not know it yet.

      Sadly, until there are new laws about what can and cannot be stored, and then real penalties for breaches (the penalties against Optus, Medibank, Latitude, etc have been pathetic - is it any wonder these companies simply don't care?), nothing will change.

  • +1

    With all the data breach happening, you would think companies would take it seriously now but I guess not until it happens to them.

    • For clarification I believe the third party they are referring to is whoever their cloud storage provider is for some of their database stuff, be it AWS or Microsoft Azure. You need to remember that by default these solutions are all self managed meaning that the organisation either needs to hire IT people with specific skills or buy a managed service off another firm.
      A lot just get their internal it staff to look after it presuming they know what they are doing because they work in IT.
      Not all of them have a clue or the experience.
      Even the so called support that Microsoft and AWS offer doesn't include any server management that is generally referred to external partners such as Telstra and other large partners for these larger clients anyway.
      Small businesses are left to fend for themselves or they look for smaller partners.

      • +1

        When I read their statement, my mind immediately went to "unsecured S3 bucket"…

  • +3

    I left sumo and requested all my information to be removed. Sadly, given the incompetence of society, it is apparent that this was NOT done as i received an email that my personal information was accessed. Surely, when you LEAVE a supplier, and request your personal information be removed , that they by law do it!!!!!!!!!!! Sumo failed to explain the 'third party file storage application' they use that was hacked. This is NOT good enough.

    • Surely, when you LEAVE a supplier, and request your personal information be removed , that they by law do it!!!!!!!!!!!

      Unfortunately the Australian Privacy Act doesn't include a "right to be forgotten" yet. Basically, no company can be forced to delete your data ever - as long as they think they could justify keeping it, if asked by the regulator (which doesn't happen anyway).

      There have been Privacy Act reforms proposed and floating around for the last 5 years - it's way beyond a joke now.

  • +2

    So should I request to change my driver's licence…?

    • +2

      Why bother? There will be another data breach tomorrow.

    • +1

      Call IDCare, see what they say. In my experience they do their best to wash their hands of it and try to convince you that you don't need to do anything, but I trust that advice as far as I can throw a Cybertruck.

      I really think they're a "See, we're doing something, and something's better than nothing. Right? Right?" option for companies that suffer a breach.

  • +1

    It seems that security including cyber is an after thought for lots of businesses

    • It's a cost. It's like insurance - nobody likes having to pay it, and every year that you pay it and you don't have to claim, part of you wonders "what could I have done with that money instead?". When a business is close to the line, it's a cost that people think they can avoid, and spend the money elsewhere (including, sadly, on lavish lifestyles for executives).

      Risk is (generally) rated on a risk matrix of likelyhood vs impact. I really don't think that people are rating the chance and impact of a data breach highly enough. Certainly, the impact with our government's limp-wristed penalties isn't sufficiently threatening to companies (or directors or executives - you know full well that when the head of a company or a security executive leaves a company after a breach - fired, steps down, what-ever) they get a golden handshake and move on to their next role before their "gardening leave" is finished).

      Fine companies AND senior managers individually $10k per record stolen, introduce criminal liability and mandatory jail time when liability is established for exec/board members and ban them from holding executive/board level positions for 10 years. Ignore claims like "highly sophisticated hack" when the reality is a publicly addressable API with no security was the actual cause. Watch the behaviour change.

  • +3

    Business as usual in this country….

  • +2

    Get used to this sort of shit.. the more life relies on everything online the more it will happen

    • +1

      It's only that way because of lax government regulation and enforcement.

      Honestly, doing this stuff properly isn't actually hard.

  • +1

    This could be as simple as the permissions on an Amazon S3 bucket being set to public by accident, takes an entire 3 seconds to occur but can leave some bad things to happen.
    Those details should not have even been stored on a system with internet access. That is why private clouds exist.

  • And another…

    news.com.au

Login or Join to leave a comment