Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:
A Z spokesperson initially told Stuff Circuit they did not want to be interviewed, saying "yes, our Z card online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we don't really have any more to add on this".
But after being told Stuff Circuit had more information, they eventually agreed for CEO Mike Bennetts to be interviewed, and, confronted with evidence, he admitted the company was not aware of the extent of the problem.
The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL.
Bennetts said when initially alerted to the vulnerability the company sought experts to determine whether the system had been compromised.
"To the best of our ability to determine that, it had not been."
But on Wednesday, when shown screenshots obtained by Stuff Circuit of Z's own account details, Bennetts admitted the problem was far greater than Z knew.
The screenshot shows accounts under Z Energy Limited, and includes details of car registration numbers and drivers. It also appears to give access to PIN numbers and the ability to suspend accounts.
"We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing."
When asked whether it seemed extraordinary that all the experts Z had engaged didn't identify the compromise found by a member of the public, he said, "Yes it's certainly very, very disappointing and I apologise to our customers about that. This is clearly something that was missed and we're very sorry about that".
It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.