Vector app glitch shares private data
A glitch in electricity network provider Vector’s Outage app has inadvertently revealed the names, email addresses, location and phone number of its customers.
The app is designed to provide information about power outages. It was used by many customers when a storm knocked out power to thousands of Auckland households earlier this month.
The app downloads the name, email, GPS co-ordinates and other data related to every unresolved outage reported via the app.
But that information can also be accessed by anyone else who has downloaded the app, via an http proxy server and without the need to evade security measures.
The anonymous tipster who reported the problem was able to access 33,000 listings of Vector customers’ details. Some reports contained the same customers’ information multiple times.
Vector is the country’s biggest distributor of electricity and gas, owning and operating networks across Auckland.
‘‘Vector are publicly broadcasting the personal details and location of individual consumers when they are at their most vulnerable – alerting villains, very specifically, that citizens are without power, security alarms and lighting,’’ the source said.
‘‘Our agenda is simply to shine the light on this lack of basic competence at one of the country’s most important infrastructure networks, to protect fellow citizens by exposing this abuse … and to ensure accountability.’’
The problem had also been reported to Apple.
Vector chief digital officer Nikhil Ravishankar said the company had been made aware of the problem. ‘‘I should note that no customers’ financial or banking information was held in the app, and the data breach has not compromised the security of our website, financial or electricity network systems,’’ he said.
‘‘We are deeply sorry for this data breach … I have taken the immediate step of disabling the Vector Outage App until we can have total confidence our customers’ data remains secure.’’
Lech Janczewski, an associate professor in information security at the University of Auckland, was not surprised by the breach.
He said developers were often focused on making attractive apps that worked and did not consider how the personal data involved was collected and treated.
Ravishankar said the app had proven to be a popular and effective way of providing customers with individualised information about outages affecting them. It had struggled with the demand during the most recent storm.
‘‘It will now be completely rebuilt to manage the dual issues of demand during large outages as well as ensuring data security.
‘‘In the meantime, while the app is being rebuilt, any customers who need to report an outage should call 0508 VECTOR. Vector is notifying the Privacy Commissioner of the data breach, and is taking steps to determine which customers have been affected.’’
Electricity Authority chief executive Carl Hansen said the breach would be covered by the Privacy Act.
‘‘Electricity providers are covered by this legislation. The authority would expect any electricity participant to comply with privacy legislation,’’ he said.
‘‘The Electricity Authority has no regulatory oversight of customer information held by, or directly released by, a distributor.’’