Z Energy covered up online security flaw
Z Energy had evidence about a privacy breach for seven months – only going public when confronted with it this week.
The company told its customers, the stock exchange and the Privacy Commissioner that it only knew about the information given to it by Stuff Circuit on Wednesday – but Stuff Circuit can now reveal the company was sent the same information seven months ago.
Stuff Circuit has also learned that the vulnerability meant hackers – or anyone – could change card PIN numbers without the customer knowing.
Z has confirmed this but says it did not happen.
The fresh details increase pressure over the company’s handling of the major security flaw and its communication with customers and the market.
An IT security expert told Stuff Circuit ‘‘it is a serious breach’’ and Z’s handling of it displays ‘‘either negligence or incompetence’’ – and raises questions about what the chief executive and board were told.
He said the fact that Z had not publicly acted on the information until confronted with it on Wednesday ‘‘beggars belief’’ and that Z’s response should have occurred when it was first given the information last November.
Z chief executive Mike Bennetts apologised to customers for the fault which hit the company’s Z Fuel Card Online portal.
There are about 45,000 Z fuel cards in the country. Z was alerted to the ‘‘critical flaw’’ by a member of the public on November 29 last year. It set up a ‘‘war room’’ to investigate the issue and shut down the system on December 15, Bennetts said. A replacement system which fixed the issue was rolled out this year.
Ben Creet, policy manager at InternetNZ, says the Z Energy case is an example of why ‘‘New Zealand needs to lift its game in terms of data breach reporting’’.