"Is this another example of marketing wonks over-extending their reach? "
None of the information they listed as being accessible is out of the scope of any utility that supplies on a "use now, pay later" basis - especially an energy supplier: credit information, payment history, income in some cases, bank account numbers (probably enough to steal from them, eh Jazzer :> ), addresses for supply and billing, contact phone numbers, whether they have a dog (not mentioned in the article but standard for every electricity/gas supplier I've ever known), social security number (from what I've read, every business in the USA seems to require that) and, yes, medical information - like "relies on respirator - DO NOT, under any circumstances, switch off their power no matter how far behind they get". (A woman actually died in New Zealand because the power company cut off her electricity, thus shutting down her oxygen machine - and left her family "to grieve in the dark".)
All of that, and possibly more, information LONG before the room-temperature-IQ marketroids start gathering "demographic information" to better assist them in bombarding the client-base with targetted advertising.
Sadly, even with information limited to what is necessary to conduct business (safely, without killing anyone) the potential for abuse by unscrupulous (or just plain nosey) employees is quite high. "Demographic surveys" conducted by some mag-biting barketroid are a whole different can of worms on top of that.
As has been mentioned: Where are their audit trails? Where are the differential access levels to ensure only those who need the data have access to it?
Unfortunately, while charity begins at home, IT security begins next door so many organisations have no proper Information security policies worth a cup of cold puke and everyone down to the janitor has full access to the client database.
The average company is loath to spend money on IT. Upgrading the staff PCs is a low-enough priority, without "wasting money" on determining who needs what access, locking the system down to provide only the appropriate access, setting up audit trails and checking for inappropriate access. Most use outside contractors and the head bean-counter decides that the profit margin is best served by only getting the contractor to throw in a server, cable up a few PCs and printers and make a few generic accounts. Then it gets handed over to an under-paid employee with no formal IT training to create other login accounts as required.
Then something like this happens or the government sends out a team of professional IT auditors (as per the relevant Act) and, surprise, surprise, they find the security is attrocious and the system has been abused for years.
Then, like as not, that same bean-counter (untouched by any semblance of accountability) skimps on the funding again at the behest of the shareholders (also untouched by accountability) when it comes to bringing the system up to compliance.
So long as large amounts of data are held by companies whose primary concern is delivering increased profits to the owners/shareholders rather than delivering quality service and peace-of-mind to their clients, we will have major problems like this.
Tightening up the database and keeping access logs will not prevent unscrupulous staff from misusing information - but it will limit the scope of what they do by ensuring they only ever do something major once (before finding themselves on the client database of the local Welfare organisation...)
Who the fuck needs to worry about intruders?