Weak ID checks are not just a privacy gap, they are a business risk
- R O'Brien
- Aug 29
- 2 min read
The Office of the Privacy Commissioner has highlighted a pattern of breaches across utilities including power, gas and broadband. The common theme is weak identity verification that made it easy for fraudsters to impersonate customers.
The consequences were significant. Accounts were opened in the wrong person’s name. Debt piled up and was sent to collections, damaging credit scores. Contact details were changed so that correspondence went astray. For many victims, the first sign of trouble was financial harm or service disruption.
At the centre of the problem is over reliance on basic data points such as name, date of birth or driver licence number. In an a
ge where this information is readily available through social media, public records or historic data breaches, those checks are no longer sufficient.
The Privacy Act requires agencies to put in place safeguards that are reasonable in the circumstances to prevent unauthorised access. What is reasonable will depend on the context, but utilities hold information that can be used as a stepping stone to wider fraud.
Forward looking providers are already lifting their standards. They are implementing multi factor verification, requiring secure passwords or PINs, and using trusted identity verification services. These are not just compliance box ticks. They are essential measures to reduce customer harm and maintain market confidence.
For boards and executives in the utilities and telco sector, the message is clear. Weak identity checks are no longer a minor operational gap. They represent a material risk to customers, compliance and brand trust. Now is the time to review and strengthen your processes before regulators, customers or competitors force your hand.
If your organisation needs advice on responding to breaches or boosting your privacy program, I would be happy to help. Get in touch.
Comments