Origin Energy has confirmed to Information Age that an employee allegedly attempted to steal sensitive customer payment data, in what the company describes as a serious breach of trust and internal policy.
The breach, disclosed this week, involved encrypted credit and debit card details belonging to 732 customers. Origin told IA that the employee tried to send the file to a personal email account on 30 July 2025, shortly after their termination.
“We have discovered that a former employee acted in serious breach of our policies, procedures and the standards we require from our employees when handling customer data,” a spokesperson said.
The company has begun notifying affected customers and offering a year of complimentary credit monitoring. While internal investigations found no evidence that the data had been accessed or circulated externally, Origin conceded it could not “definitely rule out the possibility” that the information was still vulnerable. Origin is at least partially self insured through a Singapore captive managed by Aon.
Origin said the breach had been reported to the Office of the Australian Information Commissioner (OAIC), law enforcement, and the Australian Signals Directorate (ASD). The former employee has not been charged, and no ransom demands have been received.
The company, which serves around 4.7 million customer accounts nationwide, described the incident as isolated but acknowledged it was reassessing its data protection procedures.
“We are conducting our own investigation into the matter to see if there are any changes we can implement to ensure this isolated incident does not happen again,” Origin said.
Affected customers have been urged to monitor their financial accounts and consider replacing their cards as a precaution.
The breach adds to a string of compliance setbacks for Origin. Earlier this year, the company paid a $1.6 million penalty to Victoria’s Essential Services Commission after breaching rules protecting family violence survivors.
Between June 2021 and March 2024, Origin disclosed confidential information of 16 vulnerable customers without consent and pursued debt recovery against another 38, despite regulatory protections. The company blamed human error, self-reported the violations, and said it had implemented retraining and procedural reforms.
Commission chair Gerard Brody at the time described the lapses as “disappointing” and said they underscored the need for utilities to safeguard customer data and welfare.
Origin’s latest annual report highlighted a range of internal safeguards, including regular cyber awareness training, random employee testing, and annual privacy compliance programs. It also pointed to independent security audits and partnerships with external forensic specialists.
Despite these measures, the breach reinforces industry-wide concerns about insider threats — a growing source of data risk for Australian companies already grappling with rising cyber incidents.
According to the Australian Institute of Criminology, about one in four Australians had personal data exposed in 2024. For energy retailers like Origin, which hold vast troves of financial and personal information, the reputational and operational stakes remain high.
Origin said it remains committed to transparency and customer support. “We’re taking this matter very seriously and want to be fully transparent,” the spokesperson told IA.
