Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
67785 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

#233799 3-May-2018 15:14
Send private message

Just received:

 

 

VECTOR TAKES ACTION AGAINST STUFF LIMITED TO SECURE CUSTOMER DATA

 

Following the recent data breach of Vector customer information from the Vector Outage App by an unknown hacker, and the subsequent publication of a news story by Stuff based on that data, Vector has asked Stuff several times to secure, to return or to destroy the confidential Vector customer data now in their possession that was provided to it by the hacker. Stuff Limited has repeatedly refused this request.

 

In addition, we are aware of at least one Vector customer impacted who received an unsolicited approach from a Stuff reporter in the course of preparing the news story for publication.

 

We fully accept Stuff had a valid right to report on the original data breach. We have made it clear to Stuff that we were not seeking to prevent their reporting on the matter and we have not asked them at any time to disclose their information source. However, we do not believe Stuff should have compounded this matter by exploiting the customer data when reporting on it.

 

The breach having regrettably occurred in the first place, we are trying to take all the steps we can to reduce any additional impact to the privacy of our customers.

 

In today’s world, with the recent privacy related revelations about the likes of Facebook and the unauthorised use of personal information by third parties, we believe this is an issue that customers are increasingly aware of and concerned by.

 

Now that the story has been published we believe our customers’ data should be destroyed or returned to Vector. Given Stuff’s repeated refusals to Vector’s requests, Vector now considers it has no choice but to take legal action to ensure its customers’ private information is secured and protected. In our view not doing so would be tantamount to failing our customers again.

 

As a result, Vector has applied to the High Court for an injunction to protect the information from further use. We recognise that taking this step is likely to attract further media attention to Vector for the original customer data breach. However, we considered it is more important to take whatever steps we can to secure our customers’ data and protect their privacy.

 

ENDS

Background:

 

On the morning of April 26, Vector was made aware by Stuff that an unspecified third party had unlawfully accessed the personal information of up to 24,000 Vector customers and provided the data to Stuff. Stuff published a news story on this on the afternoon of April 26.

 

The information was from the Vector Outage App and included customer names, phone numbers, email addresses and postal addresses. It didn’t include financial information.

 

As soon as we became aware of the vulnerability in the app that led to the breach, we took immediate steps to rectify the issue and to ensure no further breaches occurred including:

 

• Immediately disabling the Vector Outage App.
• Identifying and resolving the specific vulnerability within the app that allowed the data to be accessed.
• Beginning to directly contact the 24,000 customers who may have had their data breached to apologise and to outline the steps we are taking.
• Working with the Office of the Privacy Commissioner.
• Engaging IDCARE, New Zealand’s national identity and cyber support specialists.
• Commencing additional work to address data security

 





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
558 posts

Ultimate Geek

Subscriber

  #2007197 3-May-2018 15:33
Send private message

It seems insane that Stuff are refusing to delete the list what are they planning on doing with the information in the future.


To quote CERT make sure that you responsibly report anything like this.






Geoff E


3154 posts

Uber Geek

Trusted
Lifetime subscriber

  #2007201 3-May-2018 15:40
Send private message

It would be interesting to read some of the correspondence back from Stuff. As keeping the data and using it to make unsolicited contact with Vectors customers for their opinion that their data was compromised seems counter to the Code of Conduct part "I"

 

Only reading the Vector press release but bad form IMHO.





and


 
 
 
 


4771 posts

Uber Geek


  #2007205 3-May-2018 15:49
Send private message

It sounds like Vector customers should take up their right to have Stuff provide a copy of any data that Stuff is holding on them

 

(even it they are not included in the leak, a few thousand people asking would certainly send stuff a big signal and also give another avenue to pressure them, )

 

either via

 

https://www.privacy.org.nz/further-resources/aboutme-request-my-info-tool/

 

Or directly to:

 

Privacy Officer 
Stuff Limited 
Post: 42 -52 Willis Street, Wellington, PO Box 2595, Wellington 
Email: privacy@stuff.co.nz

 

EDIT: Stuff now say the data containing names and addresses has been  destroyed,

 

https://www.stuff.co.nz/business/industries/103605765/vector-data-leak-leads-to-legal-action-against-stuff

 

However, Stuff editorial director Mark Stevens said the Vector customer data had been destroyed by Stuff.

 

 


2195 posts

Uber Geek


  #2007222 3-May-2018 16:13
Send private message

data gets STOLEN : 1st crime : theft, hacking

 

stolen goods(data) passed on to 2nd person. 2nd person keeps stolen goods, uses stolen goods, reads stolen data
2nd crime right there

The police should be involved from here on in. Staff at stuff need to be charged
Its no longer just a civil case.

 

Why havnt Vector called the Police, why havnt the Police and various govt agencies become involved straight away
criminal activity by the hacker and possibly Stuff

 

I get the feeling we arnt getting the full story here

 

 


1468 posts

Uber Geek


  #2007402 3-May-2018 18:32
Send private message

I guess summer interns won't be allowed near this stuff again :/

3256 posts

Uber Geek


  #2007430 3-May-2018 19:39
Send private message

1101:

 

data gets STOLEN : 1st crime : theft, hacking

 

stolen goods(data) passed on to 2nd person. 2nd person keeps stolen goods, uses stolen goods, reads stolen data
2nd crime right there

The police should be involved from here on in. Staff at stuff need to be charged
Its no longer just a civil case.

 

Why havnt Vector called the Police, why havnt the Police and various govt agencies become involved straight away
criminal activity by the hacker and possibly Stuff

 

I get the feeling we arnt getting the full story here

 

 

 

 

it didnt seem to stop Nicky Hagar from getting a best selling book out of hacked personal data, so why should this be different.





Common sense is not as common as you think.


629 posts

Ultimate Geek

Lifetime subscriber

  #2007431 3-May-2018 19:46
Send private message

Stuff claims they have already destroyed the data; and that Vector wants the original data back. In this digital world it's nonsense to ask for the "original" data back. While I can understand that Vector would want to have some sort of tangible assurance that Stuff no longer holds a copy of the data—but what I find difficult to understand is how Vector expects Stuff to prove they don't hold a copy. The only way for Vector to prove that is to have access to Stuff's IT systems which is another can of worms...

 

Best thing would have been for Vector to follow best practices in the first place, methinks.

 

https://www.stuff.co.nz/business/industries/103605765/vector-data-leak-leads-to-legal-action-against-stuff


 
 
 
 


21152 posts

Uber Geek

Trusted
Lifetime subscriber

  #2007433 3-May-2018 19:47
Send private message

In these days of computery stuff this happens, not great. Accident, possibly slack or negligent, but not intended.

 

Stuff's actions are intended. Then they pursue unsolicited messaging, already against the law. To make news. 


21152 posts

Uber Geek

Trusted
Lifetime subscriber

  #2007435 3-May-2018 19:50
Send private message

KiwiSurfer:

 

Stuff claims they have already destroyed the data; and that Vector wants the original data back. In this digital world it's nonsense to ask for the "original" data back. While I can understand that Vector would want to have some sort of tangible assurance that Stuff no longer holds a copy of the data—but what I find difficult to understand is how Vector expects Stuff to prove they don't hold a copy. The only way for Vector to prove that is to have access to Stuff's IT systems which is another can of worms...

 

Best thing would have been for Vector to follow best practices in the first place, methinks.

 

https://www.stuff.co.nz/business/industries/103605765/vector-data-leak-leads-to-legal-action-against-stuff

 

 

Bolded, yes, I agree. But this loss of security is not new. It happens .he inter webs are not 4 foot concrete walls fortified by 50kg titanium locks. The benefits of online do have risks. But when a public enterprise produces spam from the oversight, thats poor form to say the very least. 


Webhead
2518 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2007438 3-May-2018 20:00
Send private message

 

As soon as we became aware of the vulnerability in the app that led to the breach, we took immediate steps to rectify the issue and to ensure no further breaches occurred including:

 

• Immediately disabling the Vector Outage App.
• Identifying and resolving the specific vulnerability within the app that allowed the data to be accessed.

 

 

I would not be surprised if their API allowed something like

 

example.com/url/customerid=1

 

And then access to user data. And that it was easy for "the hacker" to just set up a script to run through any possible combination and store that data.

 

 


2469 posts

Uber Geek


  #2007445 3-May-2018 20:19
Send private message

KiwiSurfer:

Stuff claims they have already destroyed the data; and that Vector wants the original data back. In this digital world it's nonsense to ask for the "original" data back. While I can understand that Vector would want to have some sort of tangible assurance that Stuff no longer holds a copy of the data—but what I find difficult to understand is how Vector expects Stuff to prove they don't hold a copy. The only way for Vector to prove that is to have access to Stuff's IT systems which is another can of worms...

 

Best thing would have been for Vector to follow best practices in the first place, methinks.

 

https://www.stuff.co.nz/business/industries/103605765/vector-data-leak-leads-to-legal-action-against-stuff

 

 

Given that this probably came through the Stuff Secure Drop instance, I doubt Stuff would be willing to let anyone else have access to that.

 


558 posts

Ultimate Geek

Subscriber

  #2007446 3-May-2018 20:20
Send private message

jarledb:

I would not be surprised if their API allowed something like


example.com/url/customerid=1


And then access to user data. And that it was easy for "the hacker" to just set up a script to run through any possible combination and store that data.


 



From what I read of it, it sounded far more likely that the vector app was requesting a list of unconfirmed power outages and it was giving as a list(json, xml etc) with all of the information provided by the user instead of just say a location.

I could be wrong as I have not seen the actual data but from what was explained in the article that was the impression I got.




Geoff E


1211 posts

Uber Geek

Trusted

  #2007448 3-May-2018 20:22
Send private message

1101: ... I get the feeling we arnt getting the full story here 

 

Of course you are not. We only have one side of the story published here. In addition to that, it's the public & sanitized version.

 

     

  1. We don't have Stuff responding & giving their side of the story here (on this site).
  2. We don't know how Vector "asked" Stuff to destroy the data. Was Vectors tone petulent? Snotty? Arrogant? Or did they actually demand & immediately threaten legal action?
  3. Is "Stuff approaching & soliciting affected customers" not their job to try and get all sides of the story?

 

Let's hope this goes to a public court so that we can get those details.





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.


3154 posts

Uber Geek

Trusted
Lifetime subscriber

  #2007460 3-May-2018 20:43
Send private message

vexxxboy: it didnt seem to stop Nicky Hagar from getting a best selling book out of hacked personal data, so why should this be different.

 

Never let the facts get in the way of a rant. Hager said a number of times he had destroyed the data after writing the book.





and


489 posts

Ultimate Geek


  #2007495 3-May-2018 21:07
Send private message

geocom: From what I read of it, it sounded far more likely that the vector app was requesting a list of unconfirmed power outages and it was giving as a list(json, xml etc) with all of the information provided by the user instead of just say a location.

I could be wrong as I have not seen the actual data but from what was explained in the article that was the impression I got.

Ahh yes. A “Hacker”

I wish this terminology wasn’t used in situations like this it isn’t helpful.




pɐǝɥ sıɥ uo ƃuıpuɐʇs

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.