New Zealand-based fuel supplier, Z Energy, has announced that “customer data from its Z Card online data base (ZCOL) was accessed by a third party in late November 2017”.
How did the breach occur?
On its website, Z Energy revealed that “the third party found a way to get unauthorised access to the part of the database that holds data about customer fleets such as names, addresses, registrations numbers, vehicle types and Z Card credit limits”. It does not believe that any financial data was accessed.
According to Stuff Circuit, which has investigated the breach, Z Energy was alerted to a “critical flaw” in the system by a member of the public on 29 November 2017.
This flaw allegedly allowed anyone to view the account details of another account holder, simply by changing the digits used in the URL, without the need to enter a password.
After being informed of the privacy breach, Z Energy immediately acted to let affected customers know that their personal data may have been accessed.
At the time, the fuel supplier was not aware of the full extent of the breach.
Mike Bennetts, CEO of Z Energy, told Stuff Circuit, “We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing.”
Z Energy has alerted the incident to the Privacy Commission and has engaged in penetration testing across all of its customer-facing systems to assess for any further vulnerabilities.
The ZCOL system ceased operation in December 2017 and the company is also taking down a similar system for the Star Card with immediate effect, until it can be confident it does not hold the same vulnerabilities.
How can organisations prevent this happening in the future?
To prevent attacks such as this one, it is essential that organisations are aware of the risks and vulnerabilities they are facing, and implement appropriate measures to address them.
Reduce cyber risk with ISO 27001
Irrespective of industry sector, organisation size, or your perception of the possible value of your organisation and your information assets to an attacker, you are – on a daily and ongoing basis – at risk of a potentially catastrophic cyber attack.
ISO 27001 describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice.
Our free green paper, Reduce your Cyber Risk with ISO 27001, outlines how ISO 27001 can help your organisation to reduce the risk of a data breach.