It is a basic question in the face of a data breach. Do we fix it and keep quiet? Or do we tell the world and risk the consequences? A major fuel company was recently confronted by this challenge, and their response and how they communicated it provides a worrying lesson for issue and crisis managers everywhere.
In November 2017, an unnamed person alerted New Zealand petrol company Z Energy that a “critical flaw” in its online fuel card system potentially exposed customer records, including names, vehicle registration details, where and when they bought petrol and, in some circumstances, even their home address.
Data breach reporting is not yet mandatory in NZ and the company decided to attempt a discreet system patch. However, the anonymous customer later contacted them again, saying the so-called fix was “half baked” and data was still vulnerable. The company then took the system down, telling their 45,000 cardholders it was dealing with a “technical issue”. They subsequently told customers the site was down because “our technology experts have been building a new online portal”.
Then in June 2018, seven months after the initial report and four months after the system was reinstated, it all began to unravel. The dissatisfied customer shared the story with local online news service Stuff Circuit, and the company response was disingenuous and unhelpful. “Yes, our Z Card Online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we really don’t have any more to add on this.”
The reporters kept digging and last month, Z Energy CEO Mike Bennetts sat down for a video-taped interview. While confirming vulnerability had been identified in November 2017, he insisted their experts found no evidence at the time that data had been compromised. Therefore, he argued, it was a vulnerability issue not a breach and there was no need to tell customers. However, when presented on camera with a screenshot showing data from his own company’s vehicle fleet account, he conceded, “It certainly is a security breach.”
The whole case seemed to be captured in reporter Paul Penfold’s final question. “Doesn’t it seem extraordinary that you had a whole ‘war room’ and were consulting with all these experts, yet one member of the public was able to simply change an account number and a URL and get all this information?”
Bennetts replied, “Yes, certainly very, very disappointing and I apologise to our customers. As I said, sometimes these things happen… This is something that was missed on the way through and we are very sorry about that.” Hardly a convincing apology or explanation.
On the basis of the ‘new information’ presented, Z Energy – which provides about one third of New Zealand’s petrol – only then disclosed the breach to the market and the Privacy Commissioner. Yet a company spokesperson admitted to Stuff Circuit that the very same evidence had been emailed to the company by the original informant seven months earlier, when the CEO was out of the country. Involvement by the media “now meant we chose to deal with this differently”. The spokesperson added that the company did not want to keep quiet about the incident, but did so on advice. “We repeatedly challenged this counsel as it did not sit well with our values, but ultimately chose to follow the advice of our experts given our commitment to cybersecurity.”
The most charitable interpretation which can be put on this sorry story is that the company tried to conceal an apparent data breach; failed to advise the regulator in a timely fashion; created a misleading narrative for customers; seemingly did not keep the CEO fully informed; and finally came clean only when there was no other option. Compare this with the value proudly stated in the company’s latest annual report: “We’re committed to being straight up with journalists and the media. That means providing meaningful information, giving straight answers, and setting new standards of transparency in our industry.” Great promise. Poor delivery.
Footnote: A Bill introducing mandatory data breach reporting is currently before the NZ Parliament.