Origin Energy, a major Australian electricity, gas, and internet provider, experienced a data breach where a terminated employee stole encrypted credit and debit card details of 732 customers. The employee attempted to email the encrypted file to their personal account on 30 July 2025, following unauthorized copying of data between 12 October 2023 and 30 July 2025. While the file was encrypted and no evidence of external access or misuse was found, Origin could not guarantee the data’s safety. The company reported the incident to the Office of the Australian Information Commissioner (OAIC), law enforcement, and the Australian Signals Directorate (ASD). Affected customers were notified, offered complimentary credit monitoring, and advised to monitor accounts or replace cards. The former employee, though not charged, signed a statutory declaration claiming deletion of the file. Origin is conducting an internal investigation to prevent future incidents, emphasizing its existing cybersecurity training and incident response protocols.
Source: https://ia.acs.org.au/article/2025/origin-energy-confirms-data-breach-involving-credit-cards.html
TPRM report: https://www.rankiteo.com/company/origin-energy
"id": "ori3462434102325",
"linkid": "origin-energy",
"type": "Breach",
"date": "10/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '732',
'industry': ['energy',
'utilities',
'telecommunications'],
'location': 'Australia',
'name': 'Origin Energy',
'size': '~5,000 employees, 4.7 million customer '
'accounts (2025)',
'type': 'public company'}],
'attack_vector': 'insider threat (malicious employee)',
'customer_advisories': ['direct email notifications',
'public apology',
'credit monitoring offer',
'precautionary measures (e.g., account monitoring, '
'card replacement)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['encrypted file (unspecified format)'],
'number_of_records_exposed': '732',
'sensitivity_of_data': 'high (financial/payment information)',
'type_of_data_compromised': ['payment card details '
'(credit/debit)']},
'date_detected': '2025-07-30',
'date_publicly_disclosed': '2025-07-31',
'description': 'A former employee of Origin Energy, an Australian '
'electricity, gas, and internet provider, stole encrypted '
'credit and debit card details of 732 customers and attempted '
'to email the data to their personal email address upon '
'termination. The company confirmed the breach on 30 July 2025 '
'and reported it to the Office of the Australian Information '
'Commissioner (OAIC), law enforcement, and the Australian '
'Signals Directorate (ASD). While the data was encrypted and '
'no evidence of misuse was found, Origin could not guarantee '
'the safety of the compromised payment details. Affected '
'customers were offered complimentary credit monitoring and '
'advised to take precautionary measures.',
'impact': {'brand_reputation_impact': 'moderate (public disclosure, media '
'coverage)',
'customer_complaints': 'expected (affected customers notified)',
'data_compromised': ['credit card details', 'debit card details'],
'identity_theft_risk': 'low-to-moderate (encrypted data, no '
'confirmed misuse)',
'legal_liabilities': ['potential regulatory fines',
'civil lawsuits (unconfirmed)'],
'operational_impact': 'limited (investigation ongoing)',
'payment_information_risk': 'moderate (732 records exposed)'},
'initial_access_broker': {'entry_point': 'authorized employee access (abused '
'post-termination)',
'high_value_targets': ['customer payment data'],
'reconnaissance_period': '2023-10-12 to 2025-07-30'},
'investigation_status': 'ongoing (internal + external forensics)',
'lessons_learned': 'Need for stricter controls on terminated employee access, '
'enhanced monitoring of data exfiltration attempts, and '
'reinforcement of insider threat training.',
'motivation': ['retaliation', 'personal gain (unconfirmed)'],
'post_incident_analysis': {'corrective_actions': ['Review and update employee '
'offboarding procedures.',
'Deploy advanced DLP tools '
'to monitor sensitive data '
'movements.',
'Strengthen behavioral '
'analytics for insider '
'threat detection.',
'Conduct a third-party '
'audit of data protection '
'controls.'],
'root_causes': ['Insufficient controls to prevent '
'data exfiltration by terminated '
'employees.',
'Failure to detect unauthorized '
'data transfer attempt in '
'real-time.',
'Potential gaps in encryption key '
'management (if file was '
'accessible post-exfiltration).']},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': ['Implement stricter access revocation protocols for '
'terminated employees.',
'Enhance Data Loss Prevention (DLP) solutions to detect '
'unauthorized data transfers.',
'Conduct regular audits of employee data access patterns.',
'Expand insider threat training programs.',
'Review encryption key management practices for sensitive '
'data.'],
'references': [{'date_accessed': '2025-07-31',
'source': 'Information Age (Exclusive Report)'},
{'source': 'Origin Energy Annual Report 2025'},
{'date_accessed': '2025-07-31',
'source': 'Origin Energy Customer Advisory Email'}],
'regulatory_compliance': {'legal_actions': ['reported to OAIC',
'law enforcement notification '
'pending'],
'regulations_violated': ['Australian Privacy '
'Principles (APP) under '
'Privacy Act 1988'],
'regulatory_notifications': ['Office of the '
'Australian '
'Information '
'Commissioner (OAIC)',
'Australian Signals '
'Directorate (ASD)']},
'response': {'communication_strategy': ['public statement',
'direct customer emails',
'media transparency'],
'containment_measures': ['termination of employee access',
'internal investigation'],
'enhanced_monitoring': 'existing (regular security monitoring '
'per annual report)',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['ongoing investigation',
'policy/control reviews'],
'remediation_measures': ['customer notifications',
'complimentary credit monitoring',
'precautionary advice (e.g., card '
'replacement)'],
'third_party_assistance': ['external incident response firm',
'forensics firm']},
'stakeholder_advisories': ['OAIC notification',
'ASD notification',
'law enforcement engagement'],
'threat_actor': 'former employee (terminated)',
'title': 'Origin Energy Data Breach Involving Payment Details of Over 700 '
'Customers',
'type': ['data breach', 'insider threat'],
'vulnerability_exploited': 'unauthorized data access/exfiltration by '
'terminated employee'}