Z Energy says customer data breached by security flaw

Z Energy petrol station. Photo: John Sefton

Z Energy says its customer database for the Z card online was breached due to a security flaw and has advised affected customers and the Privacy Commissioner of the failing.

Stuff today reported the breach of the online system, which lets people manage fuel accounts mainly business fleets. Z wasn't aware of the extent of the breach until it was told this week during the media company's investigation, it reported.

Wellington-based Z released a statement saying it was presented with evidence today that the database was accessed by a third party in November last year and "has immediately acted to let affected customers know what data may have been accessed and has also advised the Privacy Commissioner of the breach".

The transport fuels company was aware of the vulnerability last November and took steps to deal with the flaw, closing the system on Dec. 15 last year, it said. The database included information such as a customer's name, address, registration number, vehicle type and credit limits with Z, but no "bank details, pin numbers or information that would put customer finances directly at risk".

"Z takes its data privacy responsibility and threats to cyber security very seriously and is taking steps to ensure the company learns from this incident," it said.

The statement was released after the close of trading, although Stuff broke its story in the late afternoon. The shares fell 0.3 percent to $7.49.