VECTOR TAKES ACTION AGAINST STUFF LIMITED TO SECURE CUSTOMER DATA
Following the recent data breach of Vector customer information from the Vector Outage App by an unknown hacker, and the subsequent publication of a news story by Stuff based on that data, Vector has asked Stuff several times to secure, to return or to destroy the confidential Vector customer data now in their possession that was provided to it by the hacker. Stuff Limited has repeatedly refused this request.
In addition, we are aware of at least one Vector customer impacted who received an unsolicited approach from a Stuff reporter in the course of preparing the news story for publication.
We fully accept Stuff had a valid right to report on the original data breach. We have made it clear to Stuff that we were not seeking to prevent their reporting on the matter and we have not asked them at any time to disclose their information source. However, we do not believe Stuff should have compounded this matter by exploiting the customer data when reporting on it.
The breach having regrettably occurred in the first place, we are trying to take all the steps we can to reduce any additional impact to the privacy of our customers.
In today’s world, with the recent privacy related revelations about the likes of Facebook and the unauthorised use of personal information by third parties, we believe this is an issue that customers are increasingly aware of and concerned by.
Now that the story has been published we believe our customers’ data should be destroyed or returned to Vector. Given Stuff’s repeated refusals to Vector’s requests, Vector now considers it has no choice but to take legal action to ensure its customers’ private information is secured and protected. In our view not doing so would be tantamount to failing our customers again.
As a result, Vector has applied to the High Court for an injunction to protect the information from further use. We recognise that taking this step is likely to attract further media attention to Vector for the original customer data breach. However, we considered it is more important to take whatever steps we can to secure our customers’ data and protect their privacy.
On the morning of April 26, Vector was made aware by Stuff that an unspecified third party had unlawfully accessed the personal information of up to 24,000 Vector customers and provided the data to Stuff. Stuff published a news story on this on the afternoon of April 26.
The information was from the Vector Outage App and included customer names, phone numbers, email addresses and postal addresses. It didn’t include financial information.
As soon as we became aware of the vulnerability in the app that led to the breach, we took immediate steps to rectify the issue and to ensure no further breaches occurred including:
• Immediately disabling the Vector Outage App.
• Identifying and resolving the specific vulnerability within the app that allowed the data to be accessed.
• Beginning to directly contact the 24,000 customers who may have had their data breached to apologise and to outline the steps we are taking.
• Working with the Office of the Privacy Commissioner.
• Engaging IDCARE, New Zealand’s national identity and cyber support specialists.
• Commencing additional work to address data security