Fuel for the privacy breach fire
A security flaw made more than 45,000 customers’ data available to anyone who may have stumbled into Z Energy’s fuel card website. Eugene Bingham and Paula Penfold of Stuff Circuit report.
Late last year, a website for a popular petrol company was taken down, out of the blue.
Z Energy – which says that, since it supplies about a third of the country’s fuel, it takes transparency seriously – told customers it had ‘‘identified an issue which required us to remove access to Z Card Online’’.
What was that issue? Initially, at least, Z kept very quiet.
But after sources familiar with what happened told Stuff Circuit the background and what they say unfolded, Z has now admitted what the issue was.
Chief executive Mike Bennetts says the company set up a ‘‘war room’’ to deal with it, and called in outside experts.
Extraordinarily, then, it wasn’t until he sat down with Stuff Circuit that the company finally understood the extent of the problem.
‘‘We clearly got that wrong and I apologise,’’ says Bennetts.
The issue with the Z card system impacts more than just the 45,000 cardholders.
It’s something other companies will look closely at too. Because any analysis of what happened raises questions about the difficulties all businesses face guarding customers’ private information these days, and the conundrum they face when deciding between being transparent and hunkering down in the hope they have fended off cyber invaders.
We live in an era of what is known as the data breach. In April, electricity network provider Vector had to shut down an app after Stuff revealed that a security vulnerability meant the private details of customers could be accessed.
The app, designed to allow customers to notify and track power outages, had a fault which meant information such as names, emails and GPS coordinates could be accessed using an http proxy server, without the need to evade security measures.
As well as the shutdown, Vector had to contact customers whose details it believed may have been accessed.
Information security expert Lech Janczewski, an associate professor at Auckland University, says examples of data protection vulnerability are not uncommon. ‘‘Unfortunately for Vector, they were caught with publicity, but that sort of story happens quite often,’’ he says. ‘‘This is happening around the world – it isn’t a question of New Zealand or Auckland.’’
The problem, he says, is that companies put value in systems developers building something which looks good, but is not capable of withstanding an attack.
The Z Card Online site is primarily used by businesses to keep track of fuel accounts.
Through the site, companies can see and pay their accounts, keep track of fuel usage, and where and when vehicles are being filled up. It links to payment sites, including the Xero accounting system.
But visitors to the site in January were met with an apology, and the barest of explanations.
‘‘We’ve found a technical issue with Z Card Online that has required us to make the site unavailable,’’ a message from January 11 says.
‘‘We understand this impacts on your business and apologise for this. However, we are committed to having a reliable Z Card Online experience, and believe the best way to do this is to take the site offline until we have a fix.’’
The site’s functions were offline for about four months, coming back on slowly through a series of ‘‘quick releases’’. It’s now back up and running.
But in all the time it was down, Z did not tell its customers what the issue was. It says it did that because there had not been any breaches.
But were there? And what was the problem? According to a source, in November last year, a customer noticed a ‘‘critical flaw’’ in the Z Card site. ‘‘The flaw allowed anyone to view the details of another account holder simply by changing the account number in the URL,’’ says the source.
‘‘The issue affected the entire Z Fuel Card portal and exposed the private details of every Z [fuel card] customer, including names and vehicle registrations, as well as the petrol stations that they had visited and when.’’
The person who discovered the problem had typed an incorrect account number into the website address bar on the portal, and immediately gained access without having to enter a password. Not quite believing it, they had tried again, and stumbled into the account of Z Energy staff.
‘‘Anyone’s account could be accessed,’’ the source says.
Any member of the public, even without having an account, could exploit the problem.
Imagine the implications. After easily gaining access to a customer’s account, a stranger could see not only contact information, but also licence plates, what petrol stations vehicles went to, and the names of people using the cards.
It would be a pretty powerful database and potential surveillance tool, and a possible weapon for anyone intent on industrial espionage (it would be helpful, for instance, for a company to know the movements of a rival firm, to see where and when opposition salespeople are going places).
As well, anyone with access could tamper with account settings, and would have access to some financial information such as balances.
‘‘Anyone was able to perform the full functions of an account holder,’’ says the source. ‘‘It was also possible to track where someone may be by looking at the stations that they visit and when. In some circumstances a person’s home address may have been recorded against their account.’’
Such an issue is potentially classed a data vulnerability, and, since others’ accounts were accessed by at least one person (the person who alerted Z), a privacy breach.
The Office of the Privacy Commissioner says there is a distinction between a breach and a vulnerability.
By way of example, it uses the case of the Ministry of Social Development, where freelance journalist Keith Ng discovered he could use computers in branches to access customer information.
‘‘He then alerted our office and showed us the customer
information he was able to access – so a vulnerability and a breach,’’ says a spokesman.
Where there have been breaches, the current law makes it voluntary to notify the office, although the Privacy Bill will make it mandatory over certain thresholds.
‘‘The law is just one aspect of the data security picture,’’ says the spokesman. ‘‘The rest is about acting ethically and doing the right thing to prevent a vulnerability or breach worsening, and to play a part in containing it so that it causes as small an amount of harm as possible to affected parties.’’
So how did Z react to the issue when it was raised?
In its annual report this year, chairman Peter Griffiths makes a bold statement: ‘‘We’re a company committed to full disclosure. At Z, we call it ‘being straight up’ and ‘sharing everything’.’’
After being contacted by the source via SecureDrop, Stuff
Circuit approached Z asking if we could talk to someone about what happened, and how it was dealt with.
A spokeswoman got back to us, but it wasn’t really in the spirit of the commitment made by the company about transparency.
‘‘Yes, our Z Card Online system was taken down for a period whilst we made some improvements and changes,’’ she says. ‘‘But it is now back up and running, and we don’t really have any more to add on this.’’
It was not being any more forthcoming with its customers.
In late January, Z was saying that an issue had been identified which required the company to remove access to Z Card Online. ‘‘Instead of attempting to fix our older Z Card Online system, we have made a decision to build a new online portal for you.’’
By April, Z was telling customers the site had been offline because ‘‘our technology experts have been building a new Z Card Online portal’’ – there wasn’t even any mention of there originally having been an issue at all.
Eventually, after a series of exchanges with Z’s public relations department, and after information obtained from a source was put to them, the company responded.
It says that, late last year, the call centre was approached with a suggestion that there might be a vulnerability. ‘‘As soon as we were alerted to this, we took the entire Z Card Online system down as a precaution, which is standard procedure for any real or potential security threat,’’ says a spokeswoman. ‘‘We did not want to leave this system in operation if there was even a small risk that any data could be accessed.’’
An outside expert was brought in to figure out if there had been any actual security compromise. ‘‘They were unable to find any evidence of this. However, they did advise us that security could be further improved.
‘‘As we found no evidence that security had been compromised, we did not inform our customers. Again this is standard procedure given the number of direct and indirect threats we receive. However, we proactively took our system down given the advice that security could be further improved.’’
But some of what the company says doesn’t line up with what the source says, and what Stuff Circuit has been able to verify.
The first approach to Z Energy about the problem was in November, but the company did not seem to initially comprehend how serious the issue was, according to a source.
An initial patch was applied, which at least meant that a customer needed to be logged in before they could access others’ accounts – but the point was they could still access others’ accounts. Information seen by Stuff
Circuit indicates that it wasn’t until mid-December, after Z was again approached and told the solution was not enough and that accounts were still vulnerable, that the system was shut down.
Furthermore, while Z says there was no actual security compromise, Stuff Circuit has seen evidence to show that claim is not quite right – according to a source, Z’s own accounts were accessed. Among the details seen were names of drivers and vehicle registration numbers. And with the click of one button, all company accounts could have been suspended.
A source has said at least one other account was accessed without the owner’s permission too.
Bennetts is polite, approachable and affable when he arrives for an interview.
Initially, he repeats much of what the company spokesperson has said, although he does provide more detail. He gives dates, confirming it was actually November 29 that Z was first alerted to the problem, and that an initial patch was applied to the site on December 6.
After the person who had alerted them told them the patch was ‘‘half-baked’’, the system was taken down on December 15.
Like the spokesperson, he is adamant there was no actual breach of private information, based on what internal and external experts told him.
‘‘In both cases they independently came back to us and said, ‘we cannot see any evidence of the system being compromised’,’’ says Bennetts.
In that case, he says, it was the right decision not to tell customers about what had happened.
His position changes, though, when we hand him a print-out of a screen shot. It’s from Z’s own company fleet, showing driver names, car registrations and other information.
‘‘It’s certainly a security breach,’’ he says. ‘‘We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing.’’
He emphasises that Z takes information security seriously, saying it is at the top of the agenda alongside physical health and safety.
And the replacement system, he says, is ‘‘a modern platform built with modern code, with modern security measures’’ so customers can be confident about it.
Lech Janczewski, from Auckland University, says highprofile cases of information security attacks mean more companies will be taking note of how seriously they should be handling the issue.
‘‘People are not trained to develop secure software.’’
The biggest problem, he says, is cost. While there are widespread concerns about security, ‘‘the truth is these concerns are not being translated into effective action’’.
Still, he says, the message does finally seem to be getting through to the top. A major global survey of companies shows that, 15 years ago, information security did not figure in executives’ concerns. ‘‘Now it’s usually one of the top three or four.’’
And at Z, you can bet it will now stay up near the top of the list of priorities.