Z Energy would like to assure customers that the current Z card online system is secure and there is no evidence to date that vulnerabilities in the former system resulted in any data manipulation. However, customers with any concerns around the previous system should contact the company.
On 29 November last year, Z was informed by a member of the public that they could view other customers’ accounts, as exampled by a screenshot of Z’s own corporate fleet.
Z Chief Executive Mike Bennetts said that Z believed this person’s intent was to help Z improve system security and had no reason to believe that any data was going to be shared or used in any way.
“We took it in good faith that this person would not share or exploit this information as we immediately went about fixing the vulnerability.
“We also immediately began investigating previous activity in the Z card online system, and undertook additional security monitoring from the time we were first notified.
“We, and our external cyber security experts, did not detect any suspicious activity around any of our customers’ data. Nor have we had any reports from customers of suspicious activity for a period prior to and post the first notification.
“When this same person raised concerns with the security upgrade we had put in place, we immediately took the maximum precaution of taking the site down completely,” said Mike.
The database in question used to hold Z card customer data such as name, address, registration number, vehicle type and credit limits. The system did not include bank or payment details.
Mike said that while Z, and the cyber security experts it has engaged, have not detected any customer data being compromised, Z is committed to assisting customers in any way possible in relation to this incident.
“I want to be clear that we, and our external cyber security experts, could not and still have not, found any evidence of anyone tampering with customer accounts. The incident continues to be investigated by Z’s external cyber security experts and we will inform customers if any new information is uncovered.”
Mike said that some customers will quite fairly feel like they should have been told more explicitly about the issue.
“We had to make a difficult decision when notifying customers of the vulnerability, and we’re sorry that we have not been as straight up as we normally are,” said Mike.
“From the time this was first brought to our attention, we continually sought external expert cyber security advice as to how to deal with and message this vulnerability to our customers.
“The advice was to talk about this as a technical issue. External cyber security experts we spoke to strongly advised against talking about this publicly as a data privacy issue due to additional publicity typically increasing the risk of cyber security threats.
“We repeatedly challenged this counsel as it did not sit well with our values, but ultimately chose to follow the advice of our experts given our commitment to cyber security and mitigating risk to customer data and privacy.
“The advice from cyber security experts has proven to be true as, since this issue was reported, we have noticed an increase in targeted suspicious activity towards the new Z card system from offshore IP addresses.
“We continue to monitor this activity and any further potential risk. While no system is completely immune to attacks, Z’s new platform meets high standards of cyber security,” said Mike.
The reason Z is choosing to talk about this openly now is because of a screenshot of Z’s corporate fleet account being sent to the media by a member of the public who accessed the system. As a result, Z is no longer treating this historic issue as a vulnerability, instead treating it as a breach, and has voluntarily informed the Privacy Commissioner of the issue.
Customers should contact their account managers or the Z Energy call centre (email@example.com or 0800 474 355) if they have any concerns or would like to speak with someone directly.
Media: Sheena Thomas 027 551 2589; Nicola Law 021 192 8181