Z Energy : Customer update on 2017 data breach issue

Z Energy is sharing the findings of a further investigation into the 2017 unauthorised access of the Z Card Online system with customers.

In November 2017, Z was contacted by an anonymous third party who alerted us to a vulnerability with Z Card Online, the online system used by Z Card customers to manage their fuel cards. When a fix was unsuccessful, Z disabled access to the system in December 2017 and worked with security experts to review the system and the security of customer data within in.

Z launched a new online system for customers to use in March 2018, which has been tested repeatedly to ensure customer data is as secure as it can be.

Z's Chief Executive, Mike Bennetts, apologised for the 2017 security vulnerability, the inconvenience and any worry caused.

'We're sorry for any concern caused by this issue, that we didn't keep your data completely private like we are committed to, and the inconvenience of taking the platform offline for almost three months.

'We also acknowledge that some customers would have preferred to have had more information about the issue when we found out about it. Now that we have the findings from our further investigation into what exactly may have been accessed in the old system, we're committed to fully sharing this information with customers and answering any questions customers may have,' said Mike.

Z has shared the information from this forensic analysis with its Z card customers by phone or email as part of a commitment to communicating clearly with customers about issues relating to their personal data.

Of approximately 30,000 Z Card customers, the investigation has identified that over the prior two-year period, there were 62 customers whose data was viewed by an unauthorised person prior to the site being taken offline in December 2017.

The investigation confirms that the type of data accessed was information such as first name, last name, address, email address, phone number, the Z outlets where card holders make purchases and the broad nature of those purchases.

Investigators found no evidence of unusual card activity including ordering cards or amending card orders, and it was not possible for the person who illegally accessed the data to view any payment information such as bank details.

All of the 62 customers have been contacted in person by Z.

Z has taken steps to ensure security of customer data across all its online customer facing systems.

'Like all organisations using online channels to improve the customer experience, we face an ever-changing landscape of cyber-security threats. However, we have learned from this experience and we're confident that our cyber-security risks are well managed.

'We are committed to protecting the privacy and security of the information customers entrust us with,' said Mike.

If you are a Z card customer, and have not received any communications from Z recently, please contact Z on 0800 474 355.

Media contact: Sheena Thomas 027 551 2589