Cyber Incident Victim: Energy One Limited

On Friday, 18 August 2023, Energy One Limited identified that a number of its corporate technology systems, located in both Australia and the United Kingdom, had been compromised by a cyber-attack. The discovery of this incident prompted the company to initiate an immediate and coordinated response. The organization's foremost priorities were declared to be the safety and security of its personnel, its customer base, and the integrity of its various technological systems. As a critical first step in managing the situation, Energy One engaged the services of external cyber security specialists, the firm CyberCX, to assist with the investigation and remediation efforts. Concurrently, the appropriate governmental authorities were alerted to the breach; this included notifying the Australian Cyber Security Centre and making certain notifications to relevant United Kingdom authorities.

The initial phase of the response involved taking decisive action to limit the immediate impact and potential spread of the attack across the corporate network. This containment strategy was a primary focus to prevent further unauthorized access or damage. As part of this effort to ensure customer security and integrity, Energy One made the decision to proactively disable some of the electronic links that connected its internal corporate systems to its external, customer-facing systems. This action was taken as a precautionary measure to isolate the corporate environment where the breach was detected and to protect the customer platforms from potential cross-contamination or secondary infection, thereby safeguarding client data and operational continuity for its trading and risk management software services.

Following the initial containment steps, a detailed analysis was commenced to understand the full scope and ramifications of the security event. This investigative process was multifaceted and ongoing. A key line of inquiry for the company and its cyber security partners involved the work to fully secure all of Energy One’s systems, ensuring that any persistent threats were eradicated and that vulnerabilities leading to the initial compromise were addressed to prevent re-entry. Another critical aspect of the investigation focused on establishing whether any personal information had been accessed or exfiltrated during the attack, and to what extent, if any, customer-facing systems had been affected by the malicious activity. Determining the nature of any data involved was a significant priority.

A parallel and equally important investigative thread was the effort to identify the initial point of entry used by the threat actors to gain access to the corporate network. Understanding the attack vector, whether it was a phishing campaign, exploitation of a software vulnerability, or another method, was essential for preventing future incidents and for strengthening the organization's overall security posture. Furthermore, the analysis aimed to identify which, if any, additional systems beyond those initially known may have been affected by the cyber-attack, as the full extent of the compromise was not immediately known at the time of the initial announcement on 21 August 2023.

The company's response to the incident was characterized as continuous, indicating a prolonged effort to fully remediate the issue and restore complete normalcy to its operations. Energy One committed to providing updated information to stakeholders, customers, and the public as it gained greater clarity about the incident's specifics and developed a more concrete understanding of the likely timeframe required for its full resolution. The communication emphasized transparency within the constraints of an active investigation, acknowledging that details would emerge over time as the forensic analysis progressed. The engagement of specialized external consultants underscored the seriousness with which the incident was being treated and the complexity of the investigation required.

The impact of the incident extended beyond the immediate technical disruption to internal corporate systems. The deliberate disconnection of links between corporate and customer systems, while a necessary containment action, had operational implications. This action potentially affected the seamless flow of data and the integrated functionality that clients relied upon for Energy One's suite of services, which includes ETRM – Commodities Trading, Settlements and Risk Software, Power and Gas Scheduling, Nominations and Bidding Software, Algotrading and Auction Bidding Software, and other critical energy market operations solutions. The precautionary measure highlighted the interconnected nature of modern business systems and the delicate balance between security and accessibility following a cyber event.

The announcement served as the company's formal disclosure of the event to the Australian Securities Exchange and its broader investor community, fulfilling its regulatory obligations. The public statement provided a high-level overview of the situation without delving into specific technical details that could compromise the ongoing investigation or provide a roadmap to other threat actors. The provided contact for further information was Andrew Bonwick, the Board Chairman, indicating that the incident was being managed at the highest levels of the organization. The response framework demonstrated a structured approach to crisis management, involving technical experts, legal and regulatory compliance, and executive leadership oversight to navigate the challenges posed by the cyber-attack. The work to fully understand the consequences and to return systems to a fully secured state remained active and ongoing following the initial disclosure.