Customers have been assured by Z Energy that the current Z card online system is secure and there is no evidence to date that vulnerabilities in the former system resulted in any data manipulation.
Nonetheless, the company can be contacted by customers with any concerns around the previous system.
Last November, a member of the public had informed Z Energy that they could view other customers’ accounts, as exampled by a screenshot of Z’s own corporate fleet.
Z Chief Executive Mike Bennetts said they immediately began investigating previous activity in the Z card online system, and undertook additional security monitoring from the time they were first notified. Their external cyber security experts, did not detect any suspicious activity around any of their customers’ data. They also did not have any reports from customers of suspicious activity for a period prior to and post the first notification.
Customer data such as name, address, registration number, vehicle type and credit limits used to be held by the database in question, but did not include bank or payment details.
While Z and the cyber security experts it has engaged, have not detected any customer data being compromised, Z was committed to assisting customers in any way possible in relation to this incident.
From the time this was first brought to attention, external expert cyber security advice was continually sought as to how to deal with and message the vulnerability to customers. The advice received was to talk about it as a technical issue. External cyber security experts strongly advised against talking about it publicly as a data privacy issue due to additional publicity typically increasing the risk of cyber security threats.
An increase in targeted suspicious activity towards the new Z card system from offshore IP addresses has been noticed since this issue was reported.
A screenshot of Z’s corporate fleet account was sent to the media by a member of the public who accessed the system and this is the reason Z has chosen to talk about this openly. Z has decided to treat it as a breach, instead of as a vulnerability, and has voluntarily informed the Privacy Commissioner of the issue. PWKD03072018