Cyber Incident Victim: Kleenheat

In October 2020, Australian gas retailer Kleenheat notified customers of a data breach involving exposure of personal information. The incident originated in 2014 on a third-party system no longer in use by the company, with the compromise discovered during routine data security checks in 2020. Kleenheat confirmed its internal systems were not compromised during the breach. Exposed data included customer names, residential addresses, and email addresses classified as general contact information. The company verified that more sensitive details such as phone numbers, dates of birth, bank account information, and credit card details remained secure. Kleenheat acted to secure the affected information upon discovery and stated no evidence suggested malicious exploitation of the exposed data. The breach notification was selectively distributed only to impacted customers rather than the entire client base.

Kleenheat engaged with regulatory authorities following the discovery, including filing a report with Australia's Office of the Australian Information Commissioner. The company implemented ongoing monitoring of its systems for suspicious activity related to the incident. No operational disruptions, financial fraud, or secondary malicious activities stemming from the breach were reported at the time of disclosure. The historical nature of the compromised third-party system limited immediate containment requirements beyond securing the outdated platform. Impact assessment focused exclusively on contact information exposure without indications of identity theft or financial harm to affected individuals. Kleenheat maintained customer communications regarding breach specifics while emphasizing the absence of compromised financial data or evidence of misuse.