Z Energy chief executive Mike Bennetts is confronted with evidence his own company's records were accessed in a breach of its Z Card.

Fuel company Z has admitted a major security fault that potentially allowed access to an as-yet unknown number of business accounts and personal details.



Z was unaware of the full extent of the breach until told this week as part of an investigation by Stuff Circuit.

Chief executive Mike Bennetts immediately apologised and invited customers who think they may have been affected to contact the company.

A replacement system that does not have the flaw is now up and running.

The problem hit the company's Z Card Online system, which allows people to manage fuel accounts, mostly for business fleets. There are about 45,000 Z fuel cards in the country.

Z was alerted to the "critical flaw" by a member of the public on November 29 last year.

PHIL JOHNSON/STUFF CIRCUIT A Stuff Circuit investigation reveals a data breach at Z Energy.

Bennetts told Stuff Circuit the company set up a "war room" to investigate the issue.

"Our expert said there is a possibility it could be vulnerable so we put in place an additional fix. We upgraded the software and we released that to the market on December 6, giving ourselves and ultimately our customers confidence that whatever vulnerability there may have been had actually been closed off."

However a source has told Stuff Circuit that upgrade was a "half-baked fix" because access was still possible, and the company was then advised the problem wasn't solved.

Z finally took the site offline on December 15 but it did not tell customers there had been a potential security breach, saying only it had a "technical issue".

The source contacted Stuff Circuit because they were concerned Z had not taken the issue seriously enough and had not been transparent with customers.

A Z spokesperson initially told Stuff Circuit they did not want to be interviewed, saying "yes, our Z card online system was taken down for a period whilst we made some improvements and changes. But it is now back up and running and we don't really have any more to add on this".

But after being told Stuff Circuit had more information, they eventually agreed for CEO Mike Bennetts to be interviewed, and, confronted with evidence, he admitted the company was not aware of the extent of the problem.

The Z Card Online vulnerability meant any member of the public could access accounts simply by changing the account number in the site's URL.

DAVID WHITE/STUFF Fuel company Z has admitted it had a security fault with an online system.

The person who discovered the problem had typed an incorrect account number into the website address bar on the portal, and immediately gained access without having to enter a password.

Bennetts said when initially alerted to the vulnerability the company sought experts to determine whether the system had been compromised.

"To the best of our ability to determine that, it had not been."

But on Wednesday, when shown screenshots obtained by Stuff Circuit of Z's own account details, Bennetts admitted the problem was far greater than Z knew.

The screenshot shows accounts under Z Energy Limited, and includes details of car registration numbers and drivers. It also appears to give access to PIN numbers and the ability to suspend accounts.

The source told Stuff Circuit, "It was absolutely possible for any member of the public to be able to access the Z Fuel Card account of any company or individual, without needing to log in in any way".

On being showed the screenshot, Bennetts confirmed it was the card details for the Z Energy fleet, and admitted that, in contrast to the company's advice, it proved the system had been compromised.

"It's certainly a security breach.

"We apologise for not actually responding to this appropriately, given what we knew at the time, and we assure [customers] that the steps that we took were reasonable as we knew at the time. We took advice from outside parties, experts in this matter, as well as government agencies about how to deal with this matter. And each step of the way we were advised we were doing the right thing."

When asked whether it seemed extraordinary that all the experts Z had engaged didn't identify the compromise found by a member of the public, he said, "Yes it's certainly very, very disappointing and I apologise to our customers about that. This is clearly something that was missed and we're very sorry about that".

Bennetts said the technology on which Z Card Online operated was a "legacy system" which Z inherited when it bought the company eight years ago, and since it was taken offline in December it had been replaced by a new system.