Greater Western Water Experiences Significant Data Breaches Following Billing System Overhaul
Greater Western Water, a Victorian Government-owned utility provider, has reported at least 320 breaches of customer privacy subsequent to a transition to a new billing system. This overhaul involved the consolidation of systems from City West Water and Western Water, which were merged to form the current entity.
The issues with the new system began emerging in March, when nearly 200 customers received their billing information at incorrect addresses, prompting widespread concerns about the mishandling of private data. The complications arose chiefly due to inaccuracies during the migration of customer data to the new platform, known as CustomerPlace.
Greater Western Water disclosed that the source data from the legacy systems contained outdated contact information and invalid accounts, complicating the transition. “The legacy systems included inactive and dummy accounts, as well as manual modifications,” the utility explained to the Office of the Victorian Information Commissioner (OVIC). This discrepancy between the older data formats and the requirements of CustomerPlace necessitated the creation of 81 validation rules designed to ensure data integrity during the process.
However, shortly before deployment, certain validation rules were relaxed, allowing accounts that did not meet established criteria to be integrated into the new system. This decision was made to adhere to the project timeline. One critical lapse occurred when a specific rule led to the incorrect defaulting of customers’ preferred billing methods; accounts marked for electronic billing or BPAY, under the legacy system, were switched to postal delivery in the new system, due to misconfiguration during migration.
Compounding the issue, data from the two legacy systems was migrated simultaneously, and inadequate testing was conducted using incomplete datasets. The OVIC’s findings indicate that the confirmed breaches number 320, although the commissioner suggested that the actual scope of the incidents could be much higher. Despite this alarming count, the OVIC has opted not to assign blame or initiate further investigations at this time. “No conclusions should be drawn as to whether Greater Western Water or its vendors were primarily at fault,” noted the commissioner.
The OVIC has emphasized the necessity for organizations to prioritize the secure implementation of systems over strict compliance with deadlines. “Organizations should not prioritize deadlines and timing at the cost of individuals’ privacy,” the commission stressed. The experience of Greater Western Water serves as a cautionary tale, highlighting that diminishing the rigor of data validation processes can lead to more severe repercussions than a delayed project.
In response, Greater Western Water’s chair, Lisa Neville, acknowledged that the agency had not met the privacy expectations of its customers and affirmed that steps to enhance privacy and data security measures are now underway. As the organization navigates this turmoil, it remains a pertinent example for companies worldwide grappling with the complexities of data management and security during technological transitions.
As businesses look to implement or overhaul their own systems, the case of Greater Western Water serves as a critical reference point, particularly given the relevance of the MITRE ATT&CK framework. In the scenario described, tactics such as initial access and data manipulation might be suggested as areas of concern, highlighting the importance of rigorous data governance and validation. This incident accentuates the necessity for business owners to remain vigilant in establishing robust cybersecurity measures that protect sensitive information and ensure compliance with privacy regulations.
