NZX listed fuel supply company Z Energy has revealed that it knew last November of a vulnerability in its Z Card system that could allow anyone to gain access to customer details.
The company’s belated disclosure, in an announcement to the NZX, prompted InternetNZ to hold up Z Energy as a classic example of what not to do, and to call for expeditious introduction of mandatory data breach reporting.
A bill that would amend New Zealand’s 25-year-old privacy legislation was introduced into Parliament earlier this year, but privacy commissioner John Edwards said it did not have sufficiently robust penalties for data breaches.
The Z Card system flaw was exposed by news site Stuff.co.nz, forcing CEO Mike Bennetts to front the news service to answer questions and Z Energy to issue a statement to the NZX.
According to the Stuff report, the vulnerability meant that customer account details could be exposed simply by typing that customer’s account number into a URL, and that Z-Energy had been made aware of the vulnerability last November.
However its NZX statement stopped short of conceding this, saying only that, in November it had been made aware of a “potential vulnerability with the Z Card system.”
Nor did the NZX announcement say exactly what customer information was made available through this vulnerability, only what was not.
“This database holds customer data such as name, address, registration number, vehicle type and credit limits with Z. The data accessed does not include bank details, pin numbers or information that would put customer finances directly at risk,” it said.
Stuff claimed to have a screenshot of compromised accounts that included “details of car registration numbers and drivers [and] also appears to give access to PIN numbers and the ability to suspend accounts.”
Z Energy’s announcements said that, having been presented with evidence of the privacy breach it had “immediately acted to let affected customers know what data may have been accessed and has also advised the Privacy Commissioner of the breach.”
The company said it was “committed to assisting customers in any way possible in relation to this incident,” but the statement contained no apology.
Ben Creet, policy manager at InternetNZ and author of New Zealand’s guidelines of security vulnerability disclosure said: “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to disclose and fix a vulnerability.
“New Zealand needs to collectively lift its game when data breaches happen. The default position should be to tell your customers when a breach occurs.”
The New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems in 2013, and Creet said more New Zealand organisations should put in place their own vulnerability disclosure policies.
“InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are identified and fixed in a safe, collaborative timely manner,” he said.