The whistleblower was concerned about the poor protection of customer data inside Alinta and questioned the sale process of critical infrastructure to foreign companies. Under privacy laws, companies must have the proper systems in place to protect customer and supplier information to mitigate the risk of a cyber attack that could result in identities being stolen or customer information misused. One document, a June 2019 privacy compliance audit by its internal auditor EY, assigned Alinta a “red” or “significant” risk rating on key aspects of its privacy compliance. It said Alinta lacked proper oversight and structure to manage privacy and may not be adequately protecting personal information” and at times “doesn’t meet the requirements of privacy laws". The EY report said there was no framework to manage the company’s privacy obligations.

“This is likely to lead to personal information being inadvertently accessed or to the personal information data being used for a purpose other than the notified purpose (particularly in relation to the data analytics performed by the retail business intelligence team)," the report said. Alinta declined an interview request but responded to a series of questions, including whether it had been warned it may be breaching Australian privacy laws. It said it "takes compliance with privacy laws seriously and we require a similar standard from all third-party contractors''. It confirmed it conducted a privacy audit by an "independent third party" and described the report as highlighting "a number of positive aspects of our approach alongside a number of opportunities to improve". It said the report suggested "the need for a privacy management framework, privacy officer, encryption standards and data strategy were highlighted and have been progressed". Privacy expert, Dr Vanessa Teague from Melbourne University, assessed the EY report and described Alinta as having a cavalier attitude to privacy.

Dr Teague said protecting personal information was important because if someone gained access to identity-proving information such as a driver licence, passport or Medicare number, they could use it to impersonate the owner online. “This is often used for financial fraud, such as taking out a loan or credit card in your name. The innocent party might lose a great deal of money and end up apparently 'owing' what they never borrowed,” she said. Chow Tai Fook was given the green light to buy Alinta for $4 billion in April 2017 on the proviso it would satisfy a series of conditions that weren’t made public. A year later it was given approval to buy the $1 billion Loy Yang B, an electricity power generation plant in Victoria which generates almost one-fifth of Victoria’s power.

The leaked material features highly-sensitive internal documents including a list of more than 10 secret FIRB conditions, which largely relate to data security. Conditions include that data - including bulk customer data, personal information or electricity or gas data - must be stored within Australia, can only be accessed within Australia and not be taken outside of Australia. It says that third-party providers must also comply with the FIRB conditions. The FIRB was set up in 1975 to advise the Treasurer on large foreign takeovers and critical infrastructure. In 2018, FIRB made decisions on more than 11,000 proposals worth $163 billion and knocked back only five. “There clearly wasn’t much pre-vetting or due diligence done in the sale of Alinta otherwise how could they [the government] allow a company with such a reckless approach to privacy and data be sold to an overseas company,” the whistleblower said. A statement from a Treasury spokesperson in response to a series of questions sent to FIRB said it wasn’t its practice to comment on foreign investors or compliance matters. It said Alinta was engaging constructively with FIRB to implement remedial activities endorsed by FIRB. “Whilst FIRB is engaging with Alinta it would not be appropriate to comment further,” the statement said.

FIRB promotes critical infrastructure and data security as a high priority. In a speech in August 2019, FIRB chairman David Irvine paid homage to foreign investment, including Chinese investment, but pointed out that many countries, like China didn't allow foreign ownership in key sectors. “In recent years, the FIRB has seen an increased number of foreign investment proposals seeking access to data centres and other facilities, that house, or have access to, sensitive private data about Australians. Consistent with our preference for mitigation, rather than prohibition, the development of data security conditions continues to be a key area of focus for the FIRB.” An email from Alinta’s legal department in October 2019 flagged potential issues with one of FIRB's conditions that requires Alinta - and third party contractors - to store Alinta data in Australia. The email said Electricity Monster, a third party used by Alinta and other companies including French-owned SimplyEnergy, to sign up retail customers, stored customer information in New Zealand and backed it up in Singapore. The email said, “Electricity Monster does not currently have plans to provide an onshore data storage solution”.

The email noted that the issue had been raised with one of the sales managers who wanted to “get in a room to understand the FIRB conditions and impact on the sales team. It said: “is this something that we can sit down and discuss..?” Alinta operates call centres in Perth and the Philippines. It said customer data was stored in secure data centres in Australia. Another document, titled FIRB Remedial Conditions - Timelines & Milestones, reveals Alinta has a long way to go to comply with some of the conditions. For instance, it sets itself a June 2020 milestone to complete a review of “all third party agreements to identify FIRB compliance” and to “implement processes to ensure it… has appropriate security controls in place to prevent the export of bulk personal data records… and reach a compliant state.”

Then there is a June 2019 EY internal privacy review, which included a set of recommendations, many of which should already be in place, but are yet to be implemented. They include that Alinta introduce a privacy management framework “which clearly defines roles and responsibilities for the management of privacy at an organisational level and defines Alinta’s position on privacy compliance.” When asked if it was complying with FIRB conditions, it said, "Alinta is treated as being in compliance with the conditions imposed by FIRB while it continues to implement remedial activities endorsed by FIRB". It said the expectation of FIRB was never that Alinta trigger multiple breaches of its contractual obligations to be fully compliant with all conditions on day one. "The expectation is, however, that Alinta Energy take steps to transition themselves into full compliance with all conditions within a reasonable timeframe having regard to these arrangements, and that is what has been occurring in a planned and monitored way." It said "remedial activities" would be completed by the end of the year, almost four years since FIRB and Mr Morrison approved the takeover and conditions. Under Chow Tai Fook, Alinta has aggressively signed up new customers, setting itself a target of 2000 customers a day. It recently slowed to less than 1000 a day. As customers surged, so did complaints. In 2015-2016, pre-ownership change, Alinta customer complaints were 377 compared with 2486 in 2018-2019, according to statistics from the Australian Energy Regulator.

Complaints include misleading sales tactics to sign up customers. In a statement, Alinta said complaints data indicated its current complaint rate was "statistically similar to its competitors or the industry average". It said it takes customer service seriously. "It's the key to us continuing to succeed in the energy market." The White family describes Alinta's customer service as "disgusting". A third-generation dairy farming family, they were blindsided in late 2019 when a bankruptcy notice was served on 80-year-old David White after the family says it missed a $2000 payment on an electricity bill. “There was no letter saying, you know, your account will be disconnected. It went from nothing to bankruptcy, right before Christmas,” said Mr White's daughter-in-law, Carolyn Waite. Alinta Energy pursued 80-year-old David White (right), and his family (left) for bankruptcy while bushfires threatened their dairy farm in King Valley in Victoria's High Country. Picture: Ron Ekkel Credit: The family sold assets to repay the outstanding debt of more than $20,000 to remove the bankruptcy threat. But in mid-January, as they were fighting bushfires, Alinta returned, this time demanding they pay its legal bill or the bankruptcy proceedings would continue.

“I explained the situation and that now was not the time to be calling. But she [the lawyer from Alinta] would not take no for an answer about $7000 in lawyers' costs that we had outstanding with Alinta,” Ms Waite said. “I needed to get my kids out, I needed to make sure our livestock was safe. The cows needed to be milked, and we did not know what would happen over the next few days with the weather conditions that were predicted… There was no emotion from her whatsoever. She couldn't care less.” Alinta declined to comment on the White family, citing privacy reasons. It said bankruptcy notices were used as a last resort. On January 31, the Federal Circuit Court ordered the dismissal of the bankruptcy petition and that Alinta pay the White’s costs of $6824.80. “We were treated like we didn't matter. We were just another number... There was no compassion. It was like speaking to a robot. There was nothing there. It was pretty disgusting,” she said.

*The ABC's 7.30 program will feature a report on the issue on Monday.