Z Energy : Card online data

Z Energy Limited has been informed on 27 June that customer data from its Z Card online database (ZCOL) was accessed by a third party in late November 2017.

This system enables the customer to manage their fleets directly, rather than through requests to a call centre.

The third party found a way to get unauthorised access to the part of the database that holds data about customer fleets such as names, addresses, registrations numbers, vehicle types and Z Card credit limits.

With the evidence provided to Z to date, the company believes the data accessed does not include bank details, or other information that would put customer finances directly at risk. That is because these sort of customer details were not held within the system that was accessed for security reasons.

After being informed of the privacy breach Z has immediately acted to let affected customers know that their data may have been accessed. Z is committed to assisting customers in any way possible in relation to this incident.

Z has alerted the Privacy Commission to the incident this afternoon.

The system concerned is no longer in operation having been closed on 15 December 2017. Z has built a new Z Card online website that has been tested repeatedly to ensure customer data is secure.

Z has engaged an external provider to commence penetration testing across all of Z's customer facing systems to immediately assess for any vulnerabilities.

Z also operates Caltex Star Card. The Star Card online system has very similar characteristics to that of the former ZCOL system. As a precaution, Z is taking this system down with immediate effect, until the company can be confident it does not exhibit the same vulnerabilities.

Z takes its data privacy responsibility and threats to cyber security very seriously and is taking steps to ensure that the company learns from this incident.