New Zealand's Z Energy suffers breach, customers' personal data, vehicle types exposed

• Z Energy said it was made aware of a vulnerability in its system in November 2017.
• The breach comes to light just months after Australia's new data breach notification laws came into effect

New Zealand-based fuel supplier Z Energy has revealed it suffered a security breach last year that compromised customer data in its Z Card Online database. The Z Card allows customers, mostly vehicle business fleets, to manage their fuel accounts online.

The company said it was presented with evidence this week that the database was accessed by a third party in November 2017.

Types of data compromised

The database contained customer data such as names, addresses, registration numbers, vehicle types and credit limits with the company. However, it did not include bank details, pin numbers or related financial data that would endanger customers' finances, the firm noted.

"This system enables the customer to manage their fleet directly rather than through requests to a call centre, e.g. change of cost centre for a vehicle within a large fleet," Z said in a statement.

Z Energy said it was made aware of a potential vulnerability in its Z card system last November. However, its internal IT department and "external cybersecurity experts" did not find evidence of any data breaches at the time. Z Energy added that it "took steps at the time to improve the security of the system."

The company, which operates in both New Zealand and Australia, did not specify how many customers were impacted by the breach or provide details on how the breach occurred. The system in question was closed on 15 December, 2017, and is no longer in operation, it noted.

"Z takes its data privacy responsibility and threats to cyber security very seriously and is taking steps to ensure the company learns from this incident," the firm said.

Report that breach

The breach has also come to light just months after new laws in Australia require companies to report data breaches. According to a recent report by the Office of the Australian Information Commissioner (OAIC), 63 data breaches were reported in the first six weeks of the country's new Notifiable Data breach scheme since the law went into effect on February 22.