Late last year, a website for a popular New Zealand petrol company was taken down, out of the blue.
Z Energy - which says that, since it supplies about a third of the country’s fuel, it takes transparency seriously - told customers it had “identified an issue which required us to remove access to Z Card Online”.
What was that issue? Initially, at least, Z kept very quiet.
But after sources familiar with what happened told Stuff Circuit the background and what they say unfolded, Z has admitted what the issue was.
CEO Mike Bennetts says they set up a “war room” to deal with it, and called in outside experts.
Extraordinarily, then, it wasn’t until he sat down with Stuff Circuit that the company finally understood the extent of the problem.
“We clearly got that wrong and I apologise,” says Bennetts.
The issue with the Z card system will be taken notice of by more than just its customers (there are 45,000 card holders in the country, though it’s unclear how many were exposed).
It’s something that other companies will look closely at too.
Because any analysis of what happened raises questions about the difficulties all businesses face guarding customers’ private information these days, and the conundrum they face when deciding between being transparent and hunkering down in the hope they have fended off cyber invaders.
We live in an era of what is known as the data breach. In April, electricity network provider Vector had to shut down an app after Stuff revealed that a security vulnerability meant the private details of customers could be accessed.
The app, designed to allow customers to notify and track power outages, had a fault which meant information such as names, emails and GPS co-ordinates could be accessed using an http proxy server, without the need to evade security measures.
Vector had to shut down the app and contact customers whose details it believed may have been accessed.
Information security expert Lech Janczewski, an associate professor at Auckland University, says examples of data protection vulnerability are not uncommon. “Unfortunately for Vector they were caught with publicity, but that sort of story happens quite often,” says Janczewski.
“This is happening around the world - it isn’t a question of New Zealand or Auckland.”
The problem, he says, is that companies put value in systems developers building something which looks good, but is not capable of withstanding an attack.
The Z Card Online site is primarily used by businesses to keep track of fuel accounts. Z encourages people to sign up, saying it’s a tool for Kiwi businesses to save time and money “so you can get on with running your business”.
Through the site, companies can see and pay their accounts, keep track of fuel usage, and where and when vehicles are being filled up. It links to payment sites, including the Xero accounting system.
“With Z Card Online you can manage your cards and easily see what’s been spent, where, and by who,” the Z website tells customers now. But visitors to the site in January weren’t met with a sales pitch - there was an apology, and the barest of explanations.
“We’ve found a technical issue with Z Card Online that has required us to make the site unavailable,” a message from January 11 says.
“We understand this impacts on your business and apologise for this. However, we are committed to having a reliable Z Card Online experience, and believe the best way to do this is to take the site offline until we have a fix.”
The site’s functions were offline for about four months, coming back on slowly through a series of “quick releases”. It’s now back up and running.
But in all the time it was down, Z did not tell its customers what the issue was. It says it did that because there had not been any breaches.
But were there? And what was the problem? According to a source, in November last year, a customer noticed a “critical flaw” in the Z Card site.
“The flaw allowed anyone to view the details of another account holder simply by changing the account number in the URL,” says the source.
“The issue affected the entire Z Fuel Card portal and exposed the private details of every Z (fuel card) customer, including names and vehicle registrations, as well as the petrol stations that they had visited and when.”
The person who discovered the problem had typed an incorrect account number into the website address bar on the portal, and immediately gained access without having to enter a password. Not quite believing it, they had tried again, and stumbled into the account of Z Energy staff.
“Anyone’s account could be accessed,” the source says.
Any member of the public, even without having an account, could exploit the problem.
“It was absolutely possible for any member of the public to be able to access the Z Fuel Card account of any company or individual, without needing to login in any way.”
Imagine the implications. After easily gaining access to a customer’s account, a stranger could see not only contact information, but also licence plates, what petrol stations vehicles went to, and the names of people using the cards.
It would be a pretty powerful database and potential surveillance tool, and a possible weapon for anyone intent on industrial espionage (it would be helpful, for instance, for a company to know the movements of a rival firm, to see where and when opposition salespeople are going places).
As well as that, anyone with access could tamper with account settings, and would have access to some financial information such as balances.
“Anyone was able to perform the full functions of an account holder,” says the source. “It was also possible to track where someone may be by looking at the stations that they visit and when. In some circumstances a person’s home address may have been recorded against their account.”
Such an issue is potentially classed a data vulnerability, and, since others’ accounts were accessed by at least one person (the person who alerted Z), a privacy breach.
The Office of the Privacy Comissioner says there is a distinction between a breach and a vulnerability.
By way of example, it uses the case of the Ministry of Social Development where freelance journalist Keith Ng discovered that he could use computers in branches to access customer information.
“He then alerted our office and showed us the customer information he was able to access – so a vulnerability and a breach,” says a spokesman.
He says where companies discover vulnerabilities, while they are not required to contact the Privacy Commissioner, the advice is they should.
“If only because our advice might be useful, as well as the company being able to demonstrate to its customers and the public that it did the right thing.” Companies have reputational and trust issues to consider.
Where there have been breaches, the current law makes it voluntary to notify the office, although the Privacy Bill will make it mandatory over certain thresholds.
“The law is just one aspect of the data security picture,” says the spokesman. “The rest is about acting ethically and doing the right thing to prevent a vulnerability or breach worsening, and to play a part in containing it so that it causes as small an amount of harm as possible to affected parties.”
So how did Z react to the issue when it was raised?
In its annual report this year, the chairman, Peter Griffiths, makes a bold statement.
“We’re a company committed to full disclosure. At Z, we call it ‘being straight up’ and ‘sharing everything’,” he says in his chairman’s report.
It’s backed up by comments in the media section of the company website.
“We’re a New Zealand company and we supply about a third of New Zealand’s fuel,” it says. “That puts us under what’s popularly known as ‘the media spotlight’.
“We reckon that’s fair enough and we’re committed to being straight up with journalists and the media. That means providing meaningful information, giving straight answers and setting new standards of transparency in our industry.”
After being contacted by the source via SecureDrop, Stuff Circuit approached Z asking if we could talk to someone about what happened, and how it was dealt with.
A spokeswoman got back to us, but it wasn’t really in the spirit of the commitment made by the company about transparency.
“Yes, our Z card online system was taken down for a period whilst we made some improvements and changes,” she says. “But it is now back up and running, and we don’t really have any more to add on this.”
It was not being any more forthcoming with its customers.
In late January, Z was saying that an issue had been identified which required the company to remove access to Z Card Online. “Instead of attempting to fix our older Z Card Online system, we have made a decision to build a new online portal for you.”
By April, Z was telling customers the site had been offline because “our technology experts have been building a new Z Card Online portal” - there wasn’t even any mention of there originally having been an issue at all.
In the 2018 annual report, chief executive Mike Bennetts does not say anything outright, but makes some opaque comments about “operational failures and shortfalls that had adverse impacts on our customers” during the third quarter of the financial year.
“We acknowledge these events made life and business tougher for our customers than it should have been. For all of that, we sincerely apologise. We’ve learnt from it and taken actions. We responded to these issues with reviews akin to those typically conducted for a workplace fatality. That is how seriously we have taken our poor operational performance during that time.”
Bennetts also notes in his report that, based on external advice, Z has upgraded its cyber security.
Certainly, the Z Card Online site was due for an upgrade. Source code for the site shows it was built in 1999. Which means potentially this vulnerability has been a risk for nearly two decades.
The 2017 annual report shows the company had planned to upgrade it in 2019.
Events, it seems, sped up that process.
Eventually, after a series of exchanges with Z’s public relations department, and after information obtained from a source was put to them, the company responded.
It says that late last year, the call centre was approached with a suggestion that there may be a vulnerability.
“As soon as we were alerted to this, we took the entire Z card online system down as a precaution, which is standard procedure for any real or potential security threat,” says a spokeswoman. “We did not want to leave this system in operation if there was even a small risk that any data could be accessed.”
An outside expert was brought in to to figure out if there had been any actual security compromise.
“They were unable to find any evidence of this. However they did advise us that security could be further improved.
“As we found no evidence that security had been compromised, we did not inform our customers. Again this is standard procedure given the number of direct and indirect threats we receive. However we proactively took our system down given the advice that security could be further improved.”
But some of what the company says doesn’t line up with what the source says, and what Stuff Circuit has been able to verify.
The first approach to the company about the problem was in November, but the company did not seem to initially comprehend how serious the issue was, according to a source.
An initial patch was applied, which at least meant that a customer needed to be logged in before they could access others’ accounts - but the point was they could still access others’ accounts.
Information seen by Stuff Circuit indicates that it wasn’t until mid-December, after Z was again approached and told the solution was not enough and that accounts were still vulnerable, that the system was shut down.
Furthermore, while Z says there was no actual security compromise, Stuff Circuit has seen evidence that is not right - according to a source, the company’s own accounts were accessed. Among the details seen were names of drivers and vehicle registration numbers. And with the click of one button, all company accounts could have been suspended.
A source has said at least one other account was accessed without the owner’s permission too.
Regardless of exactly what happened, Z has confirmed that it brought forward its plans to upgrade its system, and says that it acted in customers’ best interests.
“We consider our actions to be the sort of overreaction customers should expect when there is any real or potential risk to their data and privacy.”
Z CEO Mike Bennetts is polite, approachable and affable when he arrives for an interview with Stuff Circuit.
Initially, he repeats much of what the company spokesperson has said, although he does provide more detail, including that a “war room” had been set up.
He gives dates too, confirming it was actually November 29 that Z was first alerted to the problem, and that an initial patch was applied to the site on December 6.
After the person who had alerted them told them the patch was “half-baked”, the system was taken down on December 15.
Like the spokesperson, he is adamant there was no actual breach of private information, based on what internal and external experts told him.
“In both cases they independently came back to us and said, ‘we cannot see any evidence of the system being compromised’,” says Bennetts.
In that case, he says, it was the right decision not to tell customers about what had happened.
His position changes, though, when we hand him a print-out of a screen shot. It’s from the Z’s own company fleet, showing driver names, car registrations and other information.
“It’s certainly a security breach,” he says.
“We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing.”
He emphasises that Z takes information security seriously, saying it is at the top of the agenda alongside physical health and safety.
And the replacement system, he says, is “a modern platform built with modern code, with modern security measures” so customers can be confident about it.
Lech Janczewski, from Auckland University, says high profile cases of information security attacks mean more companies will be taking note of how seriously they should be taking the issue.
“People are not trained to develop secure software.” The biggest problem, he says, is cost.
While there are widespread concerns about security, “the truth is these concerns are not being translated into effective action”.
Still, he says, the message does finally seem to be getting through to the top. A major global survey of companies shows that 15 years ago, information security did not figure in executives’ concerns. “Now it’s usually one of the top three or four.”
And at Z, you can bet that it will now stay up near the top of the list of priorities. Hopefully, too, alongside “new standards of transparency in our industry”.