[BreachExchange] We’ve had a data breach… let’s not tell anyone

[Audrey McNeil]

https://mumbrella.com.au/weve-had-a-data-breach-lets-not-tell-anyone-529614

It’s a basic question in the face of a data breach: do we fix it and keep
quiet? Or do we tell the world and risk the consequences. A major fuel
company was recently confronted by this challenge, and their response and
how they communicated it provides a worrying lesson for issue and crisis
managers everywhere.

In November 2017, an unnamed person alerted New Zealand petrol company Z
Energy that a “critical flaw” in its online fuel card system potentially
exposed customer records, including names, vehicle registration details,
where and when they bought petrol and, in some circumstances, even their
home address.

Data breach reporting is not yet mandatory in NZ and the company decided to
attempt a discreet system patch. However the anonymous customer later
contacted them again, saying the so-called fix was “half baked” and data
was still vulnerable. The company then took the system down, telling their
45,000 cardholders it was dealing with a “technical issue.” They
subsequently told customers the site was down because “our technology
experts have been building a new online portal.”

Then in June 2018, seven months after the initial report and four months
after the system was reinstated, it all began to unravel. The dissatisfied
customer shared the story with local online news service Stuff Circuit, and
the company response was disingenuous and unhelpful. “Yes, our Z Card
Online system was taken down for a period whilst we made some improvements
and changes. But it is now back up and running and we really don’t have any
more to add on this.”

The reporters kept digging, and last month Z Energy CEO Mike Bennetts sat
down for a videotaped interview. While confirming vulnerability had been
identified in November 2017, he insisted their experts found no evidence at
the time that data had been compromised. Therefore, he argued, it was a
vulnerability issue not a breach and there was no need to tell customers.
However, when presented on camera with a screenshot showing data from his
own company’s vehicle fleet account he conceded: “It certainly is a
security breach.”

The whole case seemed to be captured in reporter Paul Penfold’s final
question: “Doesn’t it seem extraordinary that you had a whole ‘war room’
and were consulting with all these experts, yet one member of the public
was able to simply change an account number and a URL and get all this
information?”

Bennetts replied: “Yes, certainly very, very disappointing and I apologise
to our customers. As I said, sometimes these things happen… This is
something that was missed on the way through and we are very sorry about
that.” Hardly a convincing apology or explanation.

On the basis of the ‘new information’ presented, Z Energy – which provides
about one third of New Zealand’s petrol – only then disclosed the breach to
the market and the Privacy Commissioner. Yet a company spokesperson
admitted to Stuff Circuit that the very same evidence had been emailed to
the company by the original informant seven months earlier, when the CEO
was out of the country. Involvement by the media “now meant we chose to
deal with this differently.”

The spokesperson added that the company did not want to keep quiet about
the incident, but did so on advice. “We repeatedly challenged this counsel
as it did not sit well with our values, but ultimately chose to follow the
advice of our experts given our commitment to cyber security.”

The most charitable interpretation which can be put on this sorry story is
that the company tried to conceal an apparent data breach; failed to advise
the regulator in a timely fashion; created a misleading narrative for
customers; seemingly didn’t keep the CEO fully informed; and finally came
clean only when there was no other option.

Compare this with the value proudly stated in the company’s latest annual
report: “We’re committed to being straight up with journalists and the
media. That means providing meaningful information, giving straight
answers, and setting new standards of transparency in our industry.” Great
promise. Poor delivery.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180716/b249410e/attachment.html>