Z Energy data breach

Forums › IT Pro and developers › Z Energy data breach

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#237987 27-Jun-2018 21:55

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

A Z spokesperson initially told Stuff Circuit they did not want to be interviewed, saying "yes, our Z card online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we don't really have any more to add on this".

But after being told Stuff Circuit had more information, they eventually agreed for CEO Mike Bennetts to be interviewed, and, confronted with evidence, he admitted the company was not aware of the extent of the problem.

The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL.

Bennetts said when initially alerted to the vulnerability the company sought experts to determine whether the system had been compromised.

"To the best of our ability to determine that, it had not been."

But on Wednesday, when shown screenshots obtained by Stuff Circuit of Z's own account details, Bennetts admitted the problem was far greater than Z knew.

The screenshot shows accounts under Z Energy Limited, and includes details of car registration numbers and drivers. It also appears to give access to PIN numbers and the ability to suspend accounts.

"We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing."

When asked whether it seemed extraordinary that all the experts Z had engaged didn't identify the compromise found by a member of the public, he said, "Yes it's certainly very, very disappointing and I apologise to our customers about that. This is clearly something that was missed and we're very sorry about that".

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 331

ID Verified

Trusted

Lifetime subscriber

#2045059 27-Jun-2018 22:16

Just listened to the interview too - really poorly handled. In summary, his response was: "There was no breach. But even if there was, we fixed it straight away. But even if we didn't fix it, it wasn't that bad." But in the end he had no choice but to apologise.

UHD

655 posts

Ultimate Geek
+1 received by user: 298
Inactive user

#2045102 27-Jun-2018 23:24

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2045105 27-Jun-2018 23:28

UHD:

"The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL."

You have to be joking. I can't think of a single decent web framework where something like this wouldn't require re-implementing auth completely to enable this behaviour.

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/

But yes, pretty bad this time around also.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Andib

1395 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#2045142 28-Jun-2018 08:03

michaelmurfy:

I think the thread may have been removed off here (or my google-fu is weak tonight) given how bad it was but Vodafone had a similar thing happen last year with My Vodafone: https://securitybrief.co.nz/story/vodafone-nz-customer-finds-major-loophone-my-vodafone-system/

But yes, pretty bad this time around also.

yep, first thing that came to mind after seeing this is that it's the same type of breach as the My Vodafone portal had. I wonder how many other NZ businesses have the same flaw?

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#2045144 28-Jun-2018 08:05

Vodafone did this a few months ago with Red stack mobile.

OwenWatson

93 posts

Master Geek
+1 received by user: 9

#2045295 28-Jun-2018 11:10

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

stinger

628 posts

Ultimate Geek
+1 received by user: 169
Inactive user

#2045346 28-Jun-2018 11:50

OwenWatson:

At least they are not trying to shoot the messenger a la Keith Ng. It would be great if the source could name the external experts: they must be laying very low at the moment.

And now we receive an e-mail from Ticketmaster that there is a security incident https://security.ticketmaster.co.nz

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2045751 28-Jun-2018 19:50

From InternetNZ "InternetNZ weighs in on Z Energy data breach"

InternetNZ believes the Z Energy data breach provides a useful lesson for them, and other organisations.

Ben Creet, Policy Manager at InternetNZ and author of New Zealand’s guidelines for security vulnerability disclosure says, “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to disclose and fix a vulnerability.”

Firstly, this is a data breach. That’s why it’s important that the Privacy Bill and it’s mandatory data breach reporting regime is enacted. New Zealand needs to collectively lift its game when data breaches happen. The default position should be to tell your customers when a breach occurs.

If people are finding vulnerabilities and data breaches in New Zealand organisation's websites and services, you should report to CERTNZ. They are the experts and have the mana to get an organisation's attention. You can report a vulnerability to CERT here: https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/

Additionally, we think that more New Zealand organisations should have their own vulnerability disclosure policies. The New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems in 2013: http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf

We run a disclosure policy for the .nz registry (here) and organisations like SkyTV, Vend and even the Office of the Privacy Commissioner have their own policies to encourage reporting directly to their security experts.

InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are identified and fixed in a safe, collaborative timely manner.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Rikkitic

Awrrr
19062 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

#2045754 28-Jun-2018 20:04

This kind of thing, which seems to happen quite a lot, is one reason I prefer to pay cash. Some people may think that is quaint, but at least I don't have to worry about my identity being stolen and passed around the world for every kind of shady dealing imaginable.

Plesse igmore amd axxept applogies in adbance fir anu typos

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2045986 29-Jun-2018 12:07

freitasm:

Interesting story on Stuff: Z Energy security breach, but this is the part that is really bad:

It's a question of liability. When NZ companies are fined for data and privacy breach they will pay attention.

Yes our privacy and data breach laws are a joke.

Makes you wonder what Z's PCI-DSS compliance looks look too.

Was the site development outsourced off shore?

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2045989 29-Jun-2018 12:20

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

It says it was the advice of cyber experts which led to it not telling customers what was really going on.

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 331

ID Verified

Trusted

Lifetime subscriber

#2046010 29-Jun-2018 12:52

sbiddle:

Now they seem to be inferring it was the NCSC that told them not to go public. https://www.stuff.co.nz/national/stuff-circuit/105105403/z-energy-data-breach-minister-clare-curran-alerted-last-year

Z has revealed it sought assistance from the Government's National Cyber Security Centre about dealing with the vulnerability.

It says it was the advice of cyber experts which led to it not telling customers what was really going on.

"Cyber security experts strongly advised against talking about this publicly as a data privacy issue due to additional publicity increasing the risk of cyber security threats," says a spokesperson.

Hmmm.... someone's not telling the whole story...

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2046012 29-Jun-2018 12:55

LOL publicity from additional threats? Only if you think your security is so rubbish it can't handle a few kiddies handling a poke around.

More likely the question would be "do we have to tell?" - and the answer is "nope".