New Zealand-based fuel supplier Z Energy has been presented with evidence that customer data from its Z Card Online database was accessed by a third party in November 2017.
The database held customer data such as names, addresses, registration numbers, vehicle types and credit limits with the company.
“Z takes its data privacy responsibility and threats to cyber security very seriously and is taking steps to ensure that the company learns from this incident,” a company statement read.
“With the evidence provided to Z to date, the company believes the data accessed does not include bank details, or other information that would put customer finances directly at risk.
“That is because these sort of customer details were not held within the system that was accessed for security reasons.”
At this stage, Z Energy did not specify the extent to which its customer data had been compromised.
The company said it had notified affected customers and advised the Privacy Commissioner of the breach, with the system in question closed since December 2017.
“After being informed of the privacy breach Z has immediately acted to let affected customers know that their data may have been accessed,” the statement added.
“Z is committed to assisting customers in any way possible in relation to this incident.”
The Z Card allows customers to manage fuel accounts online, and is used primarily by companies with vehicle fleets.
The business said it had been made aware of a potential vulnerability in the system in November, but had not found evidence of any data breaches at that time.
“Z has engaged an external provider to commence penetration testing across all of Z’s customer facing systems to immediately assess for any vulnerabilities,” the statement said.
“Z also operates Caltex Star Card. The Star Card online system has very similar characteristics to that of the former ZCOL system.
“As a precaution, Z is taking this system down with immediate effect, until the company can be confident it does not exhibit the same vulnerabilities.”
Z Energy operates in both New Zealand and Australia. New laws in Australia requiring companies to report data breaches took effect in late-February this year.
(Reporting by Ambar Warrick in Bengaluru and James Henderson)