28 June 2018
InternetNZ believes the Z Energy data breach provides a useful lesson for them, and other organisations.
Ben Creet, Policy Manager at InternetNZ and author of New Zealand’s guidelines of security vulnerability disclosure
says, “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to
disclose and fix a vulnerability.”
Firstly, this is a data breach. That’s why it’s important that the Privacy Bill and it’s mandatory data breach reporting
regime is enacted. New Zealand needs to collectively lift it’s game when data breaches happen. The default position
should be to tell your customers when a breach occurs.
If people are finding vulnerabilities and data breaches in New Zealand organisations websites and services you should
report to CERTNZ, they are the experts and have the mana to get organisations attention. You can report a vulnerability
to CERT here: https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/
Additionally, we think that more New Zealand organisations should have their own vulnerability disclosure policies. The
New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems
in 2013: http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf
We run a disclosure policy for the .nz registry (here) and organisations like SkyTV, Vend and even the Office of the
Privacy Commissioner have their own policies to encourage reporting directly to their security experts.
InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are
identified and fixed in a safe, collaborative timely manner.
ends