High court action centres around the recent breach of customer information from the Vector Outage App

Credit: Fairfax Media

Vector has taken legal action against news outlet Stuff in New Zealand, applying for a high court injunction following the company’s recent data breach.

The action centres around the recent breach of customer information from the Vector Outage App, and the subsequent publication of a news story by Stuff based on that data.

“Vector has asked Stuff several times to secure, to return or to destroy the confidential Vector customer data now in their possession that was provided to it by the hacker,” a spokesperson for Vector stated. “Stuff Limited has repeatedly refused this request.”

On the morning of 26 April, Vector said it was made aware by Stuff that an unspecified third party had unlawfully accessed the personal information of up to 24,000 Vector customers and provided the data to Stuff. Stuff published a news story on this on the afternoon of April 26.

As reported by Reseller News, the information was from the Vector Outage App and included customer names, phone numbers, email addresses and postal addresses. It didn’t include financial information.

But according to Vector, the company are aware of “at least one” Vector customer impacted who received an “unsolicited approach” from a Stuff reporter in the course of preparing the news story for publication.

“We fully accept Stuff had a valid right to report on the original data breach,” the statement read. “We have made it clear to Stuff that we were not seeking to prevent their reporting on the matter and we have not asked them at any time to disclose their information source.

“However, we do not believe Stuff should have compounded this matter by exploiting the customer data when reporting on it.

“The breach having regrettably occurred in the first place, we are trying to take all the steps we can to reduce any additional impact to the privacy of our customers.”

In response to the action, Stuff editorial director, Mark Stevens, said the website had only held the data "until we determined news gathering activities on this story had finished".

“When I was comfortable with that, I ensured the file containing customer contact details – which we received through a secure server – was destroyed,” said Stevens, issuing an official response via Stuff.co.nz.

“We did not agree to demands from Vector to return material to them because that could obviously risk identifying our source. We not only had the protection of the customer data to consider, but also the protection of our source."

But according to Vector, now that the story has been published, the company said customer data should be “destroyed or returned”.

“Given Stuff’s repeated refusals to Vector’s requests, Vector now considers it has no choice but to take legal action to ensure its customers’ private information is secured and protected,” the statement continued. “In our view not doing so would be tantamount to failing our customers again.

“As a result, Vector has applied to the High Court for an injunction to protect the information from further use. We recognise that taking this step is likely to attract further media attention to Vector for the original customer data breach.

"However, we considered it is more important to take whatever steps we can to secure our customers’ data and protect their privacy.”